Virtual_Private_Network

Virtual Private Network Contents Page No. • Traditional Connectivity 2 • What is a Virtual Private Network' 3 • Basic Architecture of VPN 4 • What makes a Virtual Private Network Private' 5 o VPDN 5 o NAS (Network Access Server) 5 • Types of VPN 6 o Remote-Access VPN 6 o Site-to-Site VPN 6 ▪ Intranet 6 ▪ Extranet 7 • How do VPNs Work' 8 • Protocols Used in VPN 8 o PPTP 8 o L2TP 8 o IPSec 8 • Encapsulation of Packets 9 • VPN Security 9 o Firewalls 10 o Encryption 10 o IPSec 10 o AAA Server 11 • What features are needed in VPN' 11 • Applications of VPN 12 o Site-to-Site 12 o Remote –Access 12 • Industries that may use VPN 13 • Where do we see VPNs in Future 13 • Advantages of VPN 14 • Disadvantages of VPN 15 TRADITIONAL CONNECTIVITY [pic]Through Leased Lines What is a Virtual Private Network(VPN)' Using a public network, usually the Internet, to connect securely to a private network, such as a company's network is the basis of a VPN or virtual private network.  Companies and organizations will use a VPN to communicate confidentially over a public network and can be used to send voice, video or data. It's an excellent option for remote workers and organizations with global offices and partners to share data in a private manner. ➢ Virtual Private Network is a type of private network that uses public telecommunication, such as the Internet, instead of leased lines to communicate. ➢ They are called ‘Virtual’ since the data is still travelling through the public network, but both the data and the header can be encrypted ➢ Became popular as more employees worked in remote locations [pic] A WAN had obvious advantages over a public network like the Internet when it came to reliability, performance and security. But maintaining a WAN, particularly when using leased lines, can become quite expensive and often rises in cost as the distance between the offices increases. As the popularity of the Internet grew, businesses turned to it as a means of extending their own networks. First came intranets, which are password-protected sites designed for use only by company employees. Now, many companies are creating their own VPN (virtual private network) to accommodate the needs of remote employees and distant offices. BASIC ARCHITECTURE OF VIRTUAL PRIVATE NETWORK [pic] What makes a Virtual Private Network Private' ➢ Using a Public Network (Internet), to connect securely to a private network(Company’s Network), is the basis of a VPN(Virtual Private Network). ➢ Companies and organizations will use a VPN to communicate confidentially over a public network. ➢ Excellent option for remote workers and organizations with global offices(to share data in private) VPDN One of the most common types of VPNs is a virtual private dial-up network (VPDN). A VPDN is a user-to-LAN connection, where remote users need to connect to the company LAN. Here the company will have a service provider set-up a NAS (network access server) and provide the remote users with the software needed to reach the NAS from their desktop computer or laptop. For a VPDN, the secure and encrypted connection between the company's network and remote users is provided by the third-party service provider. Network Access Server Abbreviated as NAS, a network access server is an access gateway between an external communications network and an internal network. A common use of NAS is by Internet service providers (ISP) where the user dials into the ISP and is given access to the Internet after being authorized by the access server. Network access server (NAS) is also referred to as a remote access server (RAS) or as a media gateway. The IETF Network Access Server Requirements Working Group is responsible for defining the requirements for modern remote access server A server that is dedicated to handling users that are not on a LAN but need remote access to it. The remote access server allows users to gain access to files and print services on the LAN from a remote location. For example, a user who dials into a network from home using an analog modem or an ISDN connection will dial into a remote access server. Once the user is authenticated he can access shared drives and printers as if he were physically connected to the office LAN. TYPES OF VPN Remote-Access VPNs There are two common types of VPN. Remote-access, also called a virtual private dial-up network (VPDN), is a user-to-LAN connection used by a company that has employees who need to connect to the private network from various remote locations. Typically, a corporation that wishes to set up a large remote-access VPN will outsource to an enterprise service provider (ESP). The ESP sets up a network access server (NAS) and provides the remote users with desktop client software for their computers. The telecommuters can then dial a toll-free number to reach the NAS and use their VPN client software to access the corporate network. A good example of a company that needs a remote-access VPN would be a large firm with hundreds of sales people in the field. Remote-access VPNs permit secure, encrypted connections between a company's private network and remote users through a third-party service provider. Site-to-Site VPN Through the use of dedicated equipment and large-scale encryption, a company can connect multiple fixed sites over a public network such as the Internet. Site-to-site VPNs can be one of two types: • Intranet-based If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect LAN to LAN. A network based on TCP/IP protocols (an intranet) belonging to an organization, usually a corporation, accessible only by the organization's members, employees or others with authorization. Secure intranets are now the fastest-growing segment of the Internet because they are much less expensive to build and manage than private networks based on proprietary protocols. • Extranet-based When a company has a close relationship with another company (for example, a partner, supplier or customer), they can build an extranet VPN that connects LAN to LAN, and that allows all of the various companies to work in a shared environment. An extranet refers to an intranet that is partially accessible to authorized outsiders. Whereas an intranet resides behind a firewall and is accessible only to people who are members of the same company or organization, an extranet provides various levels of accessibility to outsiders. You can access an extranet only if you have a valid username and password, and your identity determines which parts of the extranet you can view. Extranets are becoming a popular means for business partners to exchange information. Other options for using a VPN include such things as using dedicated private leased lines. Due to the high cost of dedicated lines, however, VPNs have become an attractive cost-effective solution. [pic] How do VPNs Work' ➢ VPNs consist of a GATEWAY to the internal network and any number of remote clients ➢ The gateway is the machine to which the clients connect ➢ The gateway provides the server side encryption/decryption and user authentication Protocols Used in VPN PPTP Short for Point-to-Point Tunneling Protocol, a new technology for creating VPNs, developed jointly by Microsoft, U.S. Robotics and several remote access vendor companies, known collectively as the PPTP Forum. A VPN is a private network of computers that uses the public Internet to connect some nodes. Because the Internet is essentially an open network, PPTP is used to ensure that messages transmitted from one VPN node to another are secure. With PPTP, users can dial in to their corporate network via the Internet. L2TP Short for Layer Two (2) Tunneling Protocol, an extension to the PPP protocol that enables ISPs to operate Virtual Private Networks (VPNs). L2TP merges the best features of two other tunneling protocols: PPTP from Microsoft and L2F from Cisco Systems. Like PPTP, L2TP requires that the ISP's routers support the protocol. IPSec A set of protocols developed by the IETF to support secure exchange of packets at the IP layer. IPsec has been deployed widely to implement VPNs. IPsec supports two encryption modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet. For IPsec to work, the sending and receiving devices must share a public key. This is accomplished through a protocol known as Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to obtain a public key and authenticate the sender using digital certificates. ENCAPSULATION OF PACKETS [pic] VPN Security Several Methods used for keeping your connection and data secure:- ➢ Firewalls ➢ Encryption ➢ IPSec (Internet Protocol Security Protocol) ➢ AAA Server (Authentication, Authorization ,Accounting), In the following sections, we'll discuss each of these security methods. We'll start with the firewall. FIREWALL A firewall provides a strong barrier between your private network and the Internet. You can set firewalls to restrict the number of open ports, what type of packets are passed through and which protocols are allowed through. Some VPN products, such as Cisco's 1700 routers, can be upgraded to include firewall capabilities by running the appropriate Cisco IOS on them. You should already have a good firewall in place before you implement a VPN, but a firewall can also be used to terminate the VPN sessions. [pic] Encryption Encryption is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. Most computer encryption systems belong in one of two categories: ▪ Symmetric-key encryption ▪ Public-key encryption In symmetric-key encryption, each computer has a secret key (code) that it can use to encrypt a packet of information before it is sent over the network to another computer. Symmetric-key requires that you know which computers will be talking to each other so you can install the key on each one. Symmetric-key encryption is essentially the same as a secret code that each of the two computers must know in order to decode the information. The code provides the key to decoding the message. Think of it like this: You create a coded message to send to a friend in which each letter is substituted with the letter that is two down from it in the alphabet. So "A" becomes "C," and "B" becomes "D". You have already told a trusted friend that the code is "Shift by 2". Your friend gets the message and decodes it. Anyone else who sees the message will see only nonsense. Public-key encryption uses a combination of a private key and a public key. The private key is known only to your computer, while the public key is given by your computer to any computer that wants to communicate securely with it. To decode an encrypted message, a computer must use the public key, provided by the originating computer, and its own private key. A very popular public-key encryption utility is called Pretty Good Privacy (PGP), which allows you to encrypt almost anything. You can find out more about PGP at the PGP site VPN Security: AAA Servers AAA (authentication, authorization and accounting) servers are used for more secure access in a remote-access VPN environment. When a request to establish a session comes in from a dial-up client, the request is proxied to the AAA server. AAA then checks the following: ▪ Who you are (authentication) ▪ What you are allowed to do (authorization) ▪ What you actually do (accounting) The accounting information is especially useful for tracking client use for security auditing, billing or reporting purposes. IPSec Internet Protocol Security Protocol (IPSec) provides enhanced security features such as better encryption algorithms and more comprehensive authentication. IPSec has two encryption modes: tunnel and transport. Tunnel encrypts the header and the payload of each packet while transport only encrypts the payload. Only systems that are IPSec compliant can take advantage of this protocol. Also, all devices must use a common key and the firewalls of each network must have very similar security policies set up Applications: Site-to-Site VPNs • Large-scale encryption between multiple fixed sites such as remote offices and central offices • Network traffic is sent over the branch office Internet connection • This saves the company hardware and management expenses Applications: Remote Access ❖ Encrypted connections between mobile or remote users and their corporate networks ❖ Remote user can make a local call to an ISP, as opposed to a long distance call to the corporate remote access server. ❖ Ideal for a telecommuter or mobile sales people. ❖ VPN allows mobile workers & telecommuters to take advantage of broadband connectivity. i.e. DSL, Cable Industries That May Use a VPN ❑ Healthcare: enables the transferring of confidential patient information within the medical facilities & health care provider ❑ Manufacturing: allow suppliers to view inventory & allow clients to purchase online safely ❑ Retail: able to securely transfer sales data or customer info between stores & the headquarters ❑ Banking/Financial: enables account information to be transferred safely within departments & branches ❑ General Business: communication between remote employees can be securely exchanged Where Do We See VPNs Going in the Future' • VPNs are continually being enhanced. Example: Equant NV • As the VPN market becomes larger, more applications will be created along with more VPN providers and new VPN types. • Networks are expected to converge to create an integrated VPN • Improved protocols are expected, which will also improve VPNs. How does VPN fit in' • It's fast. • It's easy to take with you wherever you go. • It's dependable. What features are needed in a well-designed VPN' It should incorporate: • Security • Reliability • Scalability Well-designed VPN can greatly benefit a company. For example, it can • Extend geographic connectivity • Improve security • Reduce operational costs versus traditional WAN • Reduce transit time and transportation costs for remote users • Improve productivity • Provide global networking opportunities • Provide telecommuter support • Provide broadband networking compatibility Advantages: Cost Saving ➢ Eliminating the need for expensive long-distance leased lines ➢ Reducing the long-distance telephone charges for remote access. ➢ Transferring the support burden to the service providers ➢ Operational costs Advantages: Scalability ➢ Flexibility of growth ➢ Efficiency with broadband technology Disadvantages ➢ VPNs require an in-depth understanding of public network security issues and proper deployment of precautions ➢ Availability and performance depends on factors largely outside of their control ➢ VPNs need to accommodate protocols other than IP and existing internal network technology [pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic]