KEMBAR78
VPN (Virtual Private Network) | PDF | Virtual Private Network | Computer Network
0% found this document useful (0 votes)
497 views14 pages

VPN (Virtual Private Network)

A VPN extends a private network across a public network like the Internet and enables secure access to an organization's network from remote locations. It works by encrypting data at the sending end and decrypting it at the receiving end, ensuring privacy through security procedures and tunneling protocols. Common types of VPNs include site-to-site VPNs for connecting two networks, client VPNs for remote access by devices or users, and SSL VPNs which use a web browser without requiring pre-installed software. VPNs use protocols like IPsec and SSL/TLS along with authentication, encryption, and other security measures to establish secure connections.

Uploaded by

Abu Fadilah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
497 views14 pages

VPN (Virtual Private Network)

A VPN extends a private network across a public network like the Internet and enables secure access to an organization's network from remote locations. It works by encrypting data at the sending end and decrypting it at the receiving end, ensuring privacy through security procedures and tunneling protocols. Common types of VPNs include site-to-site VPNs for connecting two networks, client VPNs for remote access by devices or users, and SSL VPNs which use a web browser without requiring pre-installed software. VPNs use protocols like IPsec and SSL/TLS along with authentication, encryption, and other security measures to establish secure connections.

Uploaded by

Abu Fadilah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

VPN (Virtual Private Network)

A VPN (Virtual Private Network) extends a private network across a public network, such as the
Internet.

A VPN is a network that uses a public telecommunication infrastructure, such as the Internet, to provide
remote offices or individual users with secure access to their organization's network. A VPN ensures
privacy through security procedures and tunneling protocols such as the Layer Two Tunneling Protocol
(L2TP). Data is encrypted at the sending end and decrypted at the receiving end.

Figure 1 what is VPN?

A VPN connection across the Internet is similar to a wide area network (WAN) link between websites.
From a user perspective, the extended network resources are accessed in the same way as resources
available within the private network. One major limitation of traditional VPNs is that they are point-to-
point, and do not tend to support or connect broadcast domains. Therefore communication, software,
and networking, which are based on layer 2 and broadcast packets, such as NetBIOS used in Windows
networking, may not be fully supported or work exactly as they would on a real LAN. Variants on VPN,
such as Virtual Private LAN Service (VPLS), and layer 2 tunneling protocols, are designed to overcome
this limitation.

VPNs allow employees to securely access their company's intranet while traveling outside the office.
Similarly, VPNs securely connect geographically separated offices of an organization, creating one
cohesive network. VPN technology is also used by individual Internet users to secure their wireless
transactions, to circumvent geo restrictions and censorship, and to connect to proxy servers for the
purpose of protecting personal identity and location.
VPN (Virtual Private Network)
A well-designed VPN can greatly benefit a company. For example, it can:

1. Extend geographic connectivity


2. Reduce operational costs versus traditional WANs
3. Reduce transit times and traveling costs for remote users
4. Improve productivity
5. Simplify network topology
6. Provide global networking opportunities
7. Provide telecommuter support
8. Provide faster Return On Investment (ROI) than traditional WAN

What features are needed in a well-designed VPN? It should incorporate these items:

1. Security
2. Reliability
3. Scalability
4. Network Management
5. Policy Management
6. Security mechanisms

To prevent disclosure of private information, VPNs typically allow only authenticated remote access and
make use of encryption techniques.

VPNs provide security by the use of tunneling protocols and through security procedures such as
encryption.

The VPN security model provides:

1. Confidentiality such that even if the network traffic is sniffed at the packet level (see network
sniffer and Deep packet inspection), an attacker would only see encrypted data.
2. Sender authentication to prevent unauthorized users from accessing the VPN.
3. Message integrity to detect any instances of tampering with transmitted messages.

Secure VPN protocols include the following:


1. Internet Protocol Security (IPsec) as initially developed by the Internet Engineering Task Force
(IETF) for IPv6, which was required in all standards-compliant implementations of IPv6 before
RFC 6434 made it only a recommendation. This standards-based security protocol is also widely
used with IPv4 and the Layer 2 Tunneling Protocol. Its design meets most security goals:
authentication, integrity, and confidentiality. IPsec uses encryption, encapsulating an IP packet
inside an IPsec packet. De-encapsulation happens at the end of the tunnel, where the original IP
packet is decrypted and forwarded to its intended destination.
VPN (Virtual Private Network)
2. Transport Layer Security (SSL/TLS) can tunnel an entire network's traffic (as it does in the
OpenVPN project and SoftEther VPN project) or secure an individual connection. A number of
vendors provide remote-access VPN capabilities through SSL. An SSL VPN can connect from
locations where IPsec runs into trouble with Network Address Translation and firewall rules.

3. Datagram Transport Layer Security (DTLS)- Used in Cisco AnyConnect VPN and in OpenConnect
VPN to solve the issues SSL/TLS has with tunneling over UDP.

4. Microsoft Point-to-Point Encryption (MPPE) works with the Point-to-Point Tunneling Protocol
and in several compatible implementations on other platforms.

5. Microsoft Secure Socket Tunneling Protocol (SSTP) tunnels Point-to-Point Protocol (PPP) or Layer
2 Tunneling Protocol traffic through an SSL 3.0 channel. (SSTP was introduced in Windows Server
2008 and in Windows Vista Service Pack 1

6. Multi Path Virtual Private Network (MPVPN). Ragula Systems Development Company owns the
registered trademark "MPVPN".

7. Secure Shell (SSH) VPN- OpenSSH offers VPN tunneling (distinct from port forwarding) to secure
remote connections to a network or to inter-network links. OpenSSH server provides a limited
number of concurrent tunnels. The VPN feature itself does not support personal authentication.

Authentication
Tunnel endpoints must be authenticated before secure VPN tunnels can be established. User-created
remote-access VPNs may use passwords, biometrics, two-factor authentication or other cryptographic
methods. Network-to-network tunnels often use passwords or digital certificates. They permanently
store the key to allow the tunnel to establish automatically, without intervention from the user.

Types of VPN
 Site-to-site VPN

Figure 2 Site to Site VPN


VPN
VPN (Virtual Private Network)

Often abbreviated to S2SVPN. It’s a connection between two sites and encrypts all traffic between two
(or multiple) subnets. There are two types of S2SVPN:

1. Policy-based: interesting traffic triggers an ACL and is encrypted and sent to the remote VPN
peer.
2. Routed: traffic is routed into an encrypted tunnel to the remote VPN peer.

 DMVPN (Dynamic Multipoint VPN)

Figure 3 DMVPN (Dynamic Multipoint VPN)

A Dynamic Multipoint VPN is not a protocol but more a technique using different protocols. One or
more central hub routers are required, but the remote (spoke) routers can have dynamic IPs and more
can be added without having to modify the configuration on the hub router(s), or any other spoke
routers. The routers use a next-hop resolution protocol, combined with a dynamic routing protocol to
discover remote peers and subnets. The VPN itself is a mGRE tunnel (GRE with multiple endpoints)
which is encrypted. This way, traffic between spoke routers does not have to go through the hub router
but can be sent directly from spoke to spoke.

 Client VPN

Figure 4 Client VPN

A Client VPN is an encrypted connection from one device towards a VPN router. It makes that one
remote device appear as a member of a local subnet behind the VPN router. Traffic is tunneled from the
device (usually a computer or laptop of a teleworker) towards the VPN router so that user has access to
resources inside the company. It requires client software that needs to be installed and configured.
VPN (Virtual Private Network)
 SSLVPN

Figure 5 SSLVPN

This type of VPN works like a client VPN. The difference is that the remote client does not need
preconfigured software, but instead the browser acts as VPN software. The browser needs to support
active content, which every modern browser supports, either directly or through a plug-in. Traffic is
tunneled over SSL (or TLS) to the SSLVPN router. From a networking perspective, traffic is tunneled over
layer 4 instead of layer 3. The benefit is that the remote user does not need to configure anything and
can simply log in to a web page to start the tunnel. The drawback that you’ll likely need a dedicated
device as SSLVPN endpoint because this is not a standard feature.

Protocols?
For secure VPNs:

1. General IPsec
2. ESP and AH (encryption and authentication headers)
3. Key exchange (ISAKMP, IKE, and others)
4. Cryptographic algorithms
5. IPsec policy handling
6. Remote access
7. SSL and TLS

For trusted VPNs:

1. General MPLS
2. MPLS constrained by BGP routing
3. Transport of layer 2 frames over MPLS

How VPNs Work?


When planning or extending a VPN, though, you should consider the following equipment:

1. Network Access Server- As previously described, a NAS is responsible for setting up and
maintaining each tunnel in a remote-access VPN.
VPN (Virtual Private Network)
2. Firewall- A firewall provides a strong barrier between your private network and the Internet. IT
staff can set firewalls to restrict what type of traffic can pass through from the Internet onto a
LAN, and on what TCP and UDP ports. Even without a VPN, a LAN should include a firewall to
help protect against malicious Internet traffic.

3. AAA Server- The acronym stands for the server's three responsibilities: authentication,
authorization and accounting. For each VPN connection, the AAA server confirms who you are
(authentication), identifies what you're allowed to access over the connection (authorization)
and tracks what you do while you're logged in (accounting).

One widely used standard for AAA servers is Remote Authentication Dial-in User Service (RADIUS).
Despite its name, RADIUS isn't just for dial-up users. When a RADIUS server is part of a VPN, it handles
authentication for all connections coming through the VPN's NAS.

VPN components can run alongside other software on a shared server, but this is not typical, and it
could put the security and reliability of the VPN at risk. A small business that isn't outsourcing its VPN
services might deploy firewall and RADIUS software on generic servers. However, as a business's VPN
needs increase, so does its need for equipment that's optimized for the VPN. The following are
dedicated VPN devices a business can add to its network. You can purchase these devices from
companies that produce network equipment, such as Cisco:

1. VPN Concentrator- This device replaces an AAA server installed on a generic server. The
hardware and software work together to establish VPN tunnels and handle large numbers of
simultaneous connections.

2. VPN-enabled/VPN-optimized Router- This is a typical router that delegates traffic on a network,


but with the added feature of routing traffic using protocols specific to VPNs.

3. VPN-enabled Firewall- This is a conventional firewall protecting traffic between networks, but
with the added feature of managing traffic using protocols specific to VPNs.

4. VPN Client- This is software running on a dedicated device that acts as the tunnel interface for
multiple connections. This setup spares each computer from having to run its own VPN client
software.

VPN Technologies
A well-designed VPN uses several methods in order to keep your connection and data secure.

Data Confidentiality- This is perhaps the most important service provided by any VPN implementation.
Since your private data travels over a public network, data confidentiality is vital and can be attained by
VPN (Virtual Private Network)
encrypting the data. This is the process of taking all the data that one computer is sending to another
and encoding it into a form that only the other computer will be able to decode.

Most VPNs use one of these protocols to provide encryption.

IPsec- Internet Protocol Security Protocol (IPsec) provides enhanced security features such as stronger
encryption algorithms and more comprehensive authentication. IPsec has two encryption modes: tunnel
and transport. Tunnel mode encrypts the header and the payload of each packet while transport mode
only encrypts the payload. Only systems that are IPsec-compliant can take advantage of this protocol.
Also, all devices must use a common key or certificate and must have very similar security policies set
up.

For remote-access VPN users, some form of third-party software package provides the connection and
encryption on the users PC. IPsec supports either 56-bit (single DES) or 168-bit (triple-DES) encryption.

PPTP/MPPE- PPTP was created by the PPTP Forum, a consortium which includes US Robotics, Microsoft,
3COM, Ascend, and ECI Telematics. PPTP supports multi-protocol VPNs, with 40-bit and 128-bit
encryption using a protocol called Microsoft Point-to-Point Encryption (MPPE). It is important to note
that PPTP by itself does not provide data encryption.

L2TP/IPsec- Commonly called L2TP over IPsec, this provides the security of the IPsec protocol over the
tunneling of Layer 2 Tunneling Protocol (L2TP). L2TP is the product of a partnership between the
members of the PPTP forum, Cisco, and the Internet Engineering Task Force (IETF). Primarily used for
remote-access VPNs with Windows 2000 operating systems, since Windows 2000 provides a native
IPsec and L2TP client. Internet Service Providers can also provide L2TP connections for dial-in users, and
then encrypt that traffic with IPsec between their access-point and the remote office network server.

Data Integrity- While it is important that your data is encrypted over a public network, it is just as
important to verify that it has not been changed while in transit. For example, IPsec has a mechanism to
ensure that the encrypted portion of the packet, or the entire header and data portion of the packet,
has not been tampered with. If tampering is detected, the packet is dropped. Data integrity can also
involve authenticating the remote peer.

Data Origin Authentication- It is extremely important to verify the identity of the source of the data that
is sent. This is necessary to guard against a number of attacks that depend on spoofing the identity of
the sender.

Anti-Replay- This is the ability to detect and reject replayed packets and helps prevent spoofing.

Data Tunneling/Traffic Flow Confidentiality- Tunneling is the process of encapsulating an entire packet
within another packet and sending it over a network. Data tunneling is helpful in cases where it is
desirable to hide the identity of the device originating the traffic. For example, a single device that uses
IPsec encapsulates traffic that belongs to a number of hosts behind it and adds its own header on top of
the existing packets. By encrypting the original packet and header (and routing the packet based on the
VPN (Virtual Private Network)
additional layer 3 header added on top), the tunneling device effectively hides the actual source of the
packet. Only the trusted peer is able to determine the true source, after it strips away the additional
header and decrypts the original header. As noted in RFC 2401 leavingcisco.com, "...disclosure of the
external characteristics of communication also can be a concern in some circumstances. Traffic flow
confidentiality is the service that addresses this latter concern by concealing source and destination
addresses, message length, or frequency of communication. In the IPsec context, using ESP in tunnel
mode, especially at a security gateway, can provide some level of traffic flow confidentiality."

All the encryption protocols listed here also use tunneling as a means to transfer the encrypted data
across the public network. It is important to realize that tunneling, by itself, does not provide data
security. The original packet is merely encapsulated inside another protocol and might still be visible
with a packet-capture device if not encrypted. It is mentioned here, however, since it is an integral part
of how VPNs function.

Tunneling requires three different protocols


1. Passenger protocol- The original data (IPX, NetBeui, IP) that is carried.
2. Encapsulating protocol- The protocol (GRE, IPsec, L2F, PPTP, L2TP) that is wrapped around the
original data.
3. Carrier protocol- The protocol used by the network over which the information is traveling.

The original packet (Passenger protocol) is encapsulated inside the encapsulating protocol, which is then
put inside the carrier protocol's header (usually IP) for transmission over the public network. Note that
the encapsulating protocol also quite often carries out the encryption of the data. Protocols such as IPX
and NetBeui, which would normally not be transferred across the Internet, can safely and securely be
transmitted.

For site-to-site VPNs, the encapsulating protocol is usually IPsec or Generic Routing Encapsulation (GRE).
GRE includes information on what type of packet you are encapsulating and information about the
connection between the client and server.

For remote-access VPNs, tunneling normally takes place using Point-to-Point Protocol (PPP). Part of the
TCP/IP stack, PPP is the carrier for other IP protocols when communicating over the network between
the host computer and a remote system. PPP tunneling will use one of PPTP, L2TP or Cisco's Layer 2
Forwarding (L2F).

AAA- Authentication, authorization, and accounting is used for more secure access in a remote-access
VPN environment. Without user authentication, anyone who sits at a laptop/PC with pre-configured
VPN client software can establish a secure connection into the remote network. With user
authentication however, a valid username and password also has to be entered before the connection is
completed. Usernames and passwords can be stored on the VPN termination device itself, or on an
external AAA server, which can provide authentication to numerous other databases such as Windows
NT, Novell, LDAP, and so on.
VPN (Virtual Private Network)
When a request to establish a tunnel comes in from a dial-up client, the VPN device prompts for a
username and password. This can then be authenticated locally or sent to the external AAA server,
which checks:

 Who you are (Authentication)


 What you are allowed to do (Authorization)
 What you actually do (Accounting)

The Accounting information is especially useful for tracking client use for security auditing, billing or
reporting purposes.

Nonrepudiation- In certain data transfers, especially those related to financial transactions,


nonrepudiation is a highly desirable feature. This is helpful in preventing situations where one end
denies having taken part in a transaction. Much like a bank requires your signature before honoring your
check, nonrepudiation works by attaching a digital signature to the sent message, thus precluding the
possibility of sender denying participation in the transaction.

A number of protocols exist that can be used to build a VPN solution. All of these protocols provide
some subset of the services listed in this document. The choice of a protocol depends on the desired set
of services. For example, an organization might be comfortable with the data being transferred in clear
text but extremely concerned about maintaining its integrity, while another organization might find
maintaining data confidentiality absolutely essential. Their choice of protocols might thus be different.

Site to Site or Lan to Lan VPN

Figure 6 Site to Site VPN


VPN (Virtual Private Network)

It provides secure IP communication over insecure network between two branches.

IPSec/VPN

1. IKE (Internet Key Exchange)

2. ESP (Encapsulating Security Pay Load)

3. AH (Authentication Header)

VPN Features
1. Confidentiality- Data will keep as a secret using encryption. DES, 3DES, AES.
2. Integrity- It means your data will not alter during transmission using Hash, Md-5, SHA.
3. Data Origin Authentication- It means both devices will authenticate to each other using pre-
shared key, Certificate.
4. Anti-Replay- It means if your data will arrive late, it will consider as alter, and it will drop. Time &
Volume.

IKE- IKE provides a frame work to exchange the security parameters and policies between two VPN
peers.

IKE Modes IKE Phase


Main Mode Or Aggressive Phase 1
Quick Mode Phase 2 Phase 2

 Main Mode- In main mode 6 attributes are divided in to three steps:

(Note: Proposal = security parameters and policies.)

Figure 7

1. They will exchange proposal


2. They will exchange key
3. They will authenticate to each other
VPN (Virtual Private Network)
 Aggressive Mode

Figure 8

1. Initiator will send own proposal and secret to responder


2. Responder will authenticate it. And responder will send won proposal and secret to initiator.
3. Initiator will authenticate the session.

 Quick Mode- In quick mode they will re check their security parameters and policies.

Phase 1

In IKE Phase 1 they create single IKE bi directional tunnel

Phase 2

In IKE phase II they create multiple IP sec unidirectional tunnel.

VPN Features ESP AH


Confidentiality Yes No
Integrity Yes Yes
DOA Yes Yes
Anti-Replay In protocol No 50 In protocol No 50

IP sec modes (Protect L4 and Upper Layer)

1. Transport Mode
2. Tunnel Mode (Protect L3 and Upper Layer) S to S, GET VPN

 ISAKMP– Internet Security Association Key Management Protocol.

IKE is a Management Protocol. It uses another Protocol for Key exchange. That is called ISAKMP. It use
UDP port no 500.
VPN (Virtual Private Network)
Example

Figure 9 Site to Site VPN Topology


PC1(config)#int fa0/0
PC1(config-if)#ip add 192.168.101.100 255.255.255.0
PC1(config-if)#no shut
PC1(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.101.1

PC2(config)#int fa0/0
PC2(config-if)#ip add 192.168.102.100 255.255.255.0
PC2(config-if)#no shut
PC2(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.102.1

R1(config)#int fa0/0
R1(config-if)#ip add 192.168.101.1 255.255.255.0
R1(config-if)#no shut
R1(config)#int s0/0
R1(config-if)#ip add 101.1.1.100 255.255.255.0
R1(config-if)#no shut
R1(config-if)#ip route 0.0.0.0 0.0.0.0 101.1.1.1
R1#sh ip route static
VPN (Virtual Private Network)
ISP(config)#int s0/0
ISP(config-if)#ip add 101.1.1.1 255.255.255.0
ISP(config-if)#no shut
ISP(config)#int s0/1
ISP(config)#ip add 102.1.1.1 255.255.255.0
ISP(config-if)#no shut

R2(config)#int fa0/0
R2(config-if)#ip add 192.168.102.1 255.255.255.0
R2(config-if)#no shut
R2(config)#int s0/0
R2(config-if)#ip add 102.1.1.100 255.255.255.0
R2(config-if)#no shut
R2(config-if)#ip route 0.0.0.0 0.0.0.0 102.1.1.1
R2#sh ip route static
R2#ping 101.1.1.100
Successful
R2#ping 192.168.102.100
Successful
R2#ping 102.1.1.100
Successful

R1#ping 192.168.101.100
Successful

PC1#ping 192.168.102.100

R1(config)#crypto isakmp policy 1


R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption ?
R1(config-isakmp)#encryption aes
R1(config-isakmp)#hash ?
R1(config-isakmp)#hash sha
R1(config-isakmp)#group ?
R1(config-isakmp)#group 5
R1(config-isakmp)#lifetime 1800
R1(config-isakmp)#exit
R1(config)#crypto isakmp key mani add 102.1.1.100
R1(config)# crypto ipsec transform-set t-set esp-aes esp-shahmac
R1(cfg-crypto-trans)#mode tunnel
R1(cfg-crypto-trans)#exit
R1(config)#crypto ipsec security-association lifetime seconds 1800
VPN (Virtual Private Network)
R1(config)#access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255
R1(config)#crypto map test 10 ipsec-isakmp
R1(config-crypto-map)#set peer 102.1.1.100
R1(config-crypto-map)#set transform-set t-set
R1(config-crypto-map)#match address 101
R1(config-crypto-map)#int s0/0
R1(config-if)#crypto map test
R1#sh his

R2(config)#crypto isakmp policy 1


R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#encryption aes
R2(config-isakmp)#hash sha
R2(config-isakmp)#group 5
R2(config-isakmp)#Lifetime 1800
R2(config-isakmp)#exit
R2(config)#crypto isakmp key mani add 101.1.1.100
R2(config)#crypto ipsec transform-set ttt esp-aes esp-sha-hmac
R2(config-crypto-trans)#mode tunnel 1
R2(config-crypto-trans)#exit
R2(config)#crypto ipsec security-association lifetime seconds 1800
R2(config)#access-list 102 permit ip 192.168.102.0 0.0.0.255 192.168.101.0 0.0.0.255
R2(config)#crypto map test 10 ipsec-isakmp
R2(config-crypto-map)#set peer 101.1.1.100
R2(config-crypto-map)#set transform-set ttt
R2(config-crypto-map)#match address 102
R2(config-crypto-map)#int s0/0
R2(config-if)#crypto map test
R2#sh his

PC1#ping 192.168.102.100 repeat 300


Successful

You might also like