VPN (PPT)

Virtual Private Virtual Private NetworksNetworks

Globalizing LANsGlobalizing LANs

Timothy HohmanTimothy Hohman

What is A VPN?What is A VPN?

►Tell me about it Microsoft:Tell me about it Microsoft: ““A virtual private network (VPN) is the A virtual private network (VPN) is the

extension of a private network that extension of a private network that encompasses links across shared or public encompasses links across shared or public networks like the Internet.” (Microsoft, 2001)networks like the Internet.” (Microsoft, 2001)

► It provides LAN access to end systems It provides LAN access to end systems not physically located on the LANnot physically located on the LAN

►An alternative to WAN (Wide Area An alternative to WAN (Wide Area Networks) which use leased lines to Networks) which use leased lines to connectconnect

Image courtesy Cisco Systems, Inc.Image courtesy Cisco Systems, Inc.

A typical VPN might have a main A typical VPN might have a main LANLAN at the corporate at the corporate headquarters of a company, other LANs at remote offices or headquarters of a company, other LANs at remote offices or

facilities and individual users connecting from out in the field.facilities and individual users connecting from out in the field.

How does it work?How does it work?

►Data is encrypted (cannot be Data is encrypted (cannot be deciphered without the key)deciphered without the key)

►Virtual Point to Point ConnectionVirtual Point to Point Connection To the user, it acts like a point to point To the user, it acts like a point to point

connectionconnection

►Data is packaged with a headerData is packaged with a header

Benefits of Using VPNBenefits of Using VPN

► Expand GloballyExpand Globally► Costs reducedCosts reduced

No dedicated lines necessaryNo dedicated lines necessary► EasierEasier► Technology is on the end systems, Technology is on the end systems,

which makes it more scalablewhich makes it more scalable► No single point of failureNo single point of failure►Easier Network ManagementEasier Network Management

Types of VPNTypes of VPN

►Two Types:Two Types: Site to Site VPNSite to Site VPN Remote Access VPNRemote Access VPN

Remote Access VPNRemote Access VPN

►Essentially provides LAN access Essentially provides LAN access through dial-up connectionthrough dial-up connection Typically done by purchasing a NAS Typically done by purchasing a NAS

(Network Access Server) with a toll free (Network Access Server) with a toll free numbernumber

Can instead be done through normal ISP Can instead be done through normal ISP connection using the VPN software to connection using the VPN software to make a virtual connection to the LANmake a virtual connection to the LAN

Site to Site VPNSite to Site VPN

► Connects two LANs over local ISP connectionsConnects two LANs over local ISP connections► Very useful if you need to connect a branch Very useful if you need to connect a branch

to a main hub (Big business)to a main hub (Big business)►Much less expensive than purchasing one Much less expensive than purchasing one

dedicated line between the hub and branchdedicated line between the hub and branch► Intranet Intranet connects remote locations from connects remote locations from

one companyone company

Extranet Extranet connects two companies connects two companies (partners) into one shared Private Network(partners) into one shared Private Network

Site to Site ConnectionSite to Site Connection

Two Ways to “Get it Done”Two Ways to “Get it Done”

►Two Tunneling protocols can be usedTwo Tunneling protocols can be used PPTP (Point to Point Tunneling Protocol)PPTP (Point to Point Tunneling Protocol) L2TP (Layer Two Tunneling Protocol)L2TP (Layer Two Tunneling Protocol) Tunneling encapsulates frames in an extra Tunneling encapsulates frames in an extra

header to be passed over the internet header to be passed over the internet appearing as normal frames. The process appearing as normal frames. The process includes:includes:►Encapsulation (adding extra frame), Encapsulation (adding extra frame),

transmission, Decapsulationtransmission, Decapsulation

Tunneling ProtocolsTunneling Protocols

►Both of these protocols support these Both of these protocols support these methods:methods: User AuthenticationUser Authentication Token Card Support (one time passwords)Token Card Support (one time passwords) Dynamic Address AssignmentDynamic Address Assignment Data CompressionData Compression Data EncryptionData Encryption Key ManagementKey Management Multi-protocol SupportMulti-protocol Support

Tunneling Protocols cont.Tunneling Protocols cont.

►Each are built on PPP (Point to Point Each are built on PPP (Point to Point Protocol)Protocol) 4 Phases4 Phases

►1) 1) Link EstablishmentLink Establishment - a physical link between ends - a physical link between ends►2) 2) User AuthenticationUser Authentication – Password protocols used – Password protocols used

PAP, CHAP, MS-CHAPPAP, CHAP, MS-CHAP

►3) 3) Call Back ControlCall Back Control – optional – optional Disconnects and server calls back after authenticationDisconnects and server calls back after authentication

►4) 4) Data Transfer PhaseData Transfer Phase – exactly what it sounds like – exactly what it sounds like

Tunneling Protocols cont.Tunneling Protocols cont.

►PPTPPPTP Uses IP datagrams for encapsulationUses IP datagrams for encapsulation Uses TCP for tunnel maintenanceUses TCP for tunnel maintenance Uses encryption and compressionUses encryption and compression

►L2TPL2TP Encapsulation in IP, ATM, Frame Relay, Encapsulation in IP, ATM, Frame Relay,

X.25X.25►IP when going over internetIP when going over internet

UDP used for tunnel maintenance UDP used for tunnel maintenance

AdvantagesAdvantages

► PPTP:PPTP: No certificate infrastructureNo certificate infrastructure Can be used on more operating systemsCan be used on more operating systems Can operate behind NATsCan operate behind NATs

► L2TP:L2TP: More tools to guarantee packet integrity and More tools to guarantee packet integrity and

data securitydata security Require user and computer certificatesRequire user and computer certificates PPP authentication is encrypted (takes place PPP authentication is encrypted (takes place

after IP security check)after IP security check)

SecuritySecurity

►Many types of Security are offered Many types of Security are offered including:including: FirewallsFirewalls EncryptionEncryption IPSecIPSec CertificatesCertificates AAA serversAAA servers

FirewallsFirewalls

►Can be used with VPN is right Can be used with VPN is right technology is set up on the routertechnology is set up on the router Cisco 1700 router for exampleCisco 1700 router for example

►Can restrict:Can restrict: The type of data being transferredThe type of data being transferred The number of ports openThe number of ports open Which protocols are allowed throughWhich protocols are allowed through

EncryptionEncryption

►Symmetric Key Encryption (private key)Symmetric Key Encryption (private key) All communicating computers use the same All communicating computers use the same

key stored on their computerkey stored on their computer►Asymmetric Key EncryptionAsymmetric Key Encryption

Uses a Private key and a Public KeyUses a Private key and a Public Key►Private key on local computerPrivate key on local computer►Public key sent out to anyone who you want to Public key sent out to anyone who you want to

communicate withcommunicate with►Mathematically related through encryption Mathematically related through encryption

algorithmalgorithm►Both must be used to decrypt anything sentBoth must be used to decrypt anything sent

IPSecIPSec

►Made up of two partsMade up of two parts Authentication HeaderAuthentication Header

►Verify data integrityVerify data integrity

Encapsulation Security PayloadEncapsulation Security Payload►Data integrityData integrity►Data encryptionData encryption

IPSec continuedIPSec continued

► Authentication HeaderAuthentication Header Authentication DataAuthentication Data Sequence numberSequence number

► Encapsulating Security PayloadEncapsulating Security Payload Encrypt dataEncrypt data Another layer of integrity and authentication Another layer of integrity and authentication

checkschecks

CertificatesCertificates

► Used alongside public keysUsed alongside public keys Contains:Contains:

►Certificate NameCertificate Name►Owner of the public keyOwner of the public key►Public key itselfPublic key itself►Expiration dateExpiration date►Certificate authorityCertificate authority

Verifies that information is coming from the Verifies that information is coming from the private keyprivate key

Can be distributed on disks, smart cards, or Can be distributed on disks, smart cards, or electronicallyelectronically

AAA ServersAAA Servers

►Authentication, Authorization, Authentication, Authorization, AccountingAccounting These advanced servers ask each user These advanced servers ask each user

who they are, what they are allowed to who they are, what they are allowed to do, and what the actually want to do each do, and what the actually want to do each time they connecttime they connect

This allows the LAN to track usage from This allows the LAN to track usage from dial up connections and closely monitor dial up connections and closely monitor those remotely connected as they would those remotely connected as they would those physically connected.those physically connected.

How can I get this up and How can I get this up and running?running?

►You need:You need: Software on each end systemSoftware on each end system

►Windows: PPTPWindows: PPTP

Dedicated hardware (firewalls, routers, Dedicated hardware (firewalls, routers, etc.)etc.)

Dedicated VPN serverDedicated VPN server May need NASMay need NAS

A Hardware ExampleA Hardware Example

►http://www.youtube.com/watch?v=lq-Shttp://www.youtube.com/watch?v=lq-ShHMofEQhHMofEQ

An Example of VPN in ActionAn Example of VPN in Action

►2001, CISCO direct-connect company 2001, CISCO direct-connect company filed for bankruptcyfiled for bankruptcy

►Changing over the 9000 employees to Changing over the 9000 employees to different direct-connect companies different direct-connect companies would be very costly and take 10 would be very costly and take 10 times the available staff to pull offtimes the available staff to pull off

The VPN SolutionThe VPN Solution

► User managed solution based on VPN User managed solution based on VPN softwaresoftware

►Users provide own internet connectionUsers provide own internet connection►Cisco provided IT support for VPN Cisco provided IT support for VPN

problems and provide gateway from problems and provide gateway from internet to CISCO networkinternet to CISCO network

Benefits of the ChangeBenefits of the Change

► ProductivityProductivity► Employee SatisfactionEmployee Satisfaction

Able to work from home, making home work Able to work from home, making home work balance easierbalance easier

►GlobalizationGlobalization► FlexibilityFlexibility► Easier when letting employees goEasier when letting employees go

Ex-employees do not have to have their Ex-employees do not have to have their dedicated line removed, rather they just lose dedicated line removed, rather they just lose Authentication to AAA serverAuthentication to AAA server

► Cost, cost, costCost, cost, cost

Things to ComeThings to Come

►ExpansionExpansion China and IndiaChina and India

►Faster UpgradesFaster Upgrades Use of Microsoft installerUse of Microsoft installer

►Better encryptionBetter encryption Advanced encryption standardAdvanced encryption standard

►Better compressionBetter compression►Voice and Video or VPNVoice and Video or VPN

Things to come cont.Things to come cont.

►Wireless vendor supportWireless vendor support Access to employees from anywhereAccess to employees from anywhere

►PDA supportPDA support Possible software packages to be used on Possible software packages to be used on

PDAsPDAs

►Hardware for home clientHardware for home client As shown in previous clipAs shown in previous clip

ReferencesReferences► Cisco Systems (2004). Cisco Systems (2004). Cisco VPN Client Brings Flexibility and Cisco VPN Client Brings Flexibility and

Cost Reduction to Cisco Remote Access SolutionCost Reduction to Cisco Remote Access Solution. Retrieved . Retrieved from: from: http://www.cisco.com/web/about/ciscoitatwork/downloads/cischttp://www.cisco.com/web/about/ciscoitatwork/downloads/ciscoitatwork/pdf/Cisco_IT_Case_Study_VPN_Client_print.pdfoitatwork/pdf/Cisco_IT_Case_Study_VPN_Client_print.pdf

► Jeff Tyson (2007). Jeff Tyson (2007). How Virtual Private Network Work.How Virtual Private Network Work. Retrieved from: Retrieved from: http://computer.howstuffworks.com/vpn.htmhttp://computer.howstuffworks.com/vpn.htm

► Barrel, Matthew D. (2006). Barrel, Matthew D. (2006). Take your network anywhere. Take your network anywhere. PC PC Magazine, 25(21), p122-122.Magazine, 25(21), p122-122.

► Calin, Doru; McGee, Andrew R.; Chandrashekhar, Uma; Calin, Doru; McGee, Andrew R.; Chandrashekhar, Uma; Prasad, Ramjee (2006). Prasad, Ramjee (2006). MAGNET: An approach for secure MAGNET: An approach for secure personal networking in beyond 3g wireless networks.personal networking in beyond 3g wireless networks. Bell Bell Labs Technical Journal, 11(1), pp. 79 – 98.Labs Technical Journal, 11(1), pp. 79 – 98.

► Tanner, John C. (2006). Tanner, John C. (2006). Ethernet rides the NGN wave.Ethernet rides the NGN wave. America’s Network, 110(2), pp. 40-43.America’s Network, 110(2), pp. 40-43.