VIRTUAL PRIVATE NETWORK

ABSTRACT :

Virtual Private Networks (VPNs) are today becoming the most

universal method for remote access. They enable Service Provider to
take advantage of the power of the Internet by providing a privat
tunnel through the public cloud to realize cost savings and
productivity enhancements from remote access applications. VPN
meets the four key enterprise requirements of compatibility, security,
availability and manageability. A VPN is an extension of an
enterprise’s private intranet across a public network (the Internet)
creating a secure private connection, essentially through a private
tunnel. VPNs securely convey information across the Internet
connection remote users, branch offices, and business partners into an
extended corporate network . In this paper I will attempt to give an
overview of VPN and its services, their implementation, the three
main types of VPNs.

INTRODUCTION -

The wide spread migration towards the

Internet Protocol creates a golden age for system integrators, network
manager who are creating and implementing IP based
Internetworking solution. Employees on business trips need to stay
current with their electronic mail. Sales represents in the field must be
able to access corporate databases.

Branch offices must be part of the corporate network. Virtual private

networks (VPNs) offer low-cost, secure, dynamic access to private
networks. Such access would otherwise only be possible by using an
expensive leased line solution or by dialing directly into the local area
network (LAN).

VPNs allow remote users to access private networks securely over the
Internet. A remote user in one part of the UK can establish a secure
network connection using a VPN to a school LAN in another part of
the UK and only incur the call cost for the local Internet connection
Our aims to address the topic of quality of service and the tools
available for designing a Virtual Private Network (VPN) with
appropriate service levels for mission critical applications.

What is a VPN?
A virtual private network gives secure access to LAN resources over a
shared network infrastructure such as the internet. It can be
conceptualised as creating a tunnel from one location to another, with
Encrypted data traveling through the tunnel before being decrypted at
its destination.
Remote users can connect to their organisation's LAN or any other
LAN. They can access resources such as email and documents as if
they were connected to the LAN as normal. By using VPN
technology it is possible to connect to a school LAN from anywhere
in the world via the internet, and to access it securely and privately
without incurring the large communication costs associated with other
solutions.
One user uses a 56 kilobits per second (Kbps) modem to dial their
internet service provider (ISP) and connects to the central LAN with
VPN software.

Figure 1: two methods of connecting to a school's LAN using a VPN

In figure 1 two method connected that is one user uses a 56 kilobits

per second modem to dial their internet service provider and connects
to the central LAN with VPN software.
Second is a remote site uses asymmetric digital subscriber line to
connect to its ISP and VPN router to carry out the VPN connection.
Few changes are made to the PCs at the VPN router carries out the
encryption and decryption of data. As both connect to their usual ISP,
they only incur their normal ISP call traffic.

What does the term virtual private network really mean

Virtual?:
It means that the connection is dynamic. It can change and adapt to
different circumstances using the internet's fault tolerant capabilities.
When a connection is required it is established and maintained
regardless of the network infrastructure between endpoints. When it is
no longer required the connection is terminated, reducing costs and
the amount of redundant infrastructure.

Private:
It means that the transmitted data is always kept confidential and
can only be accessed by authorised users. This is important because
the internet's original protocols –TCP/IP (transmission control
protocol/internet protocol) – were not designed to provide such
levels of privacy. Therefore, privacy must be provided by other
means such as additional VPN hardware or software.

Network:
It is the entire infrastructure between the endpoints of users, sites or
nodes that carries the data. It is created using the private, public,
wired, wireless, internet or any other appropriate network resource
available.
What types of VPN are there?
There are many variations of virtual private networks, with the
majority based on two main models:

Remote access:
(Virtual private dial-up network (VPDN) or client-to-site)
A remote access VPN is for home or travelling users who need to
access their central LAN from a remote location. They dial their ISP
and connect over the internet to the LAN. This is made possible by
installing a client software program on the remote user’s laptop or
PC that deals with the encryption and decryption of the VPN traffic
between itself and the VPN gateway on the central LAN.

Fixed:
(Intranet and extranet or site-to-site)
A fixed VPN is normally used between two or more sites allowing a
central LAN to be accessed by remote LANs over the internet or
private communication lines using VPN gateways. VPN gateways
(normally a VPN-enabled router) are placed at each remote site and
at the central site to allow all encryption and decryption and
tunneling to be carried out transparently.

How does a VPN work?

A remote access solution works by the remote user first establishing
an internet connection to an ISP in the normal way. The user
activates the VPN client software to create a tunnel over the internet
and to connect to the central LAN’s VPN gateway. The VPN client
software then passes its authorization to the VPN gateway. The VPN
gateway checks that the user is authorised to connect and then
ensures the encryption key from the remote client is valid. All VPN
data is encrypted using the key before being transmitted over the
internet using a tunneling protocol. It is decrypted at the other end
by the VPN gateway, which has an identical set of keys to decrypt the
data. Data sent from the central LAN to the remote user is encrypted
by the VPN gateway before transmission and decrypted by the
remote user’s VPN client software.

Fig 2:remote access VPN solution

QUALITY OF SERVICE
The Need for QoS:
Users of a widely scattered VPN do not usually care about the
network topology or the high level of security/encryption or firewalls
that handle their traffic. They don't care if the network implementers
have incorporated IPSec tunnels or GRE tunnels.
What they care about is something more fundamental, such as:
Do I get acceptable response times when I access my mission critical
applications from a remote office?
Acceptance levels for delays vary. While a user would be willing to
put up with a few additional seconds for a file transfer to complete,
the same user would have less tolerance for similar delays when
accessing a database or when running voice over an IP data network.
QoS aims to ensure that your mission critical traffic has acceptable
performance. In the real world where bandwidth is finite and diverse
applications from videoconferencing to ERP database lookups must
all vie for scarce resources, QoS becomes a vital tool to ensure that
all applications can coexist and function at acceptable levels of
performance.

QoS for VPNs:

The primary QoS building blocks of VPNs are:
 Packet classification (using Committed Access Rate [CAR])
Bandwidth management (policing with CAR, shaping with
GTS/FRTS, bandwidth allocation with WFQ)
Congestion avoidance (with WRED)
Packet Classification:

The aim of packet classification is to group packets based on

predefined criteria so that the resulting groups of packets can then be
subjected to specific packet treatments. The treatments might include
faster forwarding by intermediate routers and switches or lesser
probability of the packets being dropped due to lack of buffering
resources.
It is necessary that traffic be classified before tunneling and
encryption since otherwise the tunnel header that is appended to the
IP packet would make the QoS markings in the IP header invisible to
intermediate routers/switches, which need to read this information and
act upon it. Classification brings into question the right match criteria.
There are a number of criteria based upon which we may classify
traffic before it enters the VPN:
IP addresses
TCP/UDP port numbers
IP precedence (3 bits in the type of service field of the IP packet
header)
URL and sub-URL
MAC addresses
 Figure 1: Classification at network ingress
Once we classify packets based on the above criteria the next step is
to "mark" or "color” packets with a unique identification to ensure
that this classification is respected end to end. The simplest way of
doing this is via the IP ToS field in the header of an IP datagram. In
the near future the Internet Engineering Task Force (IETF)- sponsored
Differentiated Service Code Points (DSCP) could become the
classification criterion of choice.
The purpose behind this type of marking of packets is to ensure that
downstream QoS features such as scheduling and queuing may accord
the right treatment for packets thus marked. In some cases the service
provider whose backbone is being used for the VPN might provide
differentiated services, classification allows you to leverage these
services.
Bandwidth Management :
Once traffic has been classified the next step is to ensure that it
receives special treatment in the routers. This brings into focus
scheduling and queuing.
Before we get into the subject of queuing it might be good to step
back and consider what we mean by a flow. For this discussion a flow
would be a group of packets which share a common criteria whether
that criteria is a source/destination IP address or a TCP/UDP port
number or a protocol or a type of service (TOS) field.
They provides two implementations of weighted fair queuing (WFQ):
Flow-based WFQ.
Class-based WFQ.
Traffic shaping.

VPN Implementation:

Remote User Access Over The Internet

VPN provide remote access to corporate resources

over the public internet, while maintaining privacy of information.

Rather than making a long distance call to a

corporate or outsourced Network Access Server (NAS), the user calls
a local ISP, the VPN software creates a Virtual Private Network
between the dial-up user and the corporate VPN server across the
Internet.

Connecting Networks Over The Internet :

There are two methods for using VPNs to connect local area
networks at remote sites.

Using dedicated lines to connect a branch office to a

corporate LAN:

Rather than using an expensive long haul dedicated

circuit between the branch office and the corporate hub, both the
branch office and the corporate hub routers can use a local dedicated
circuit and local ISP to connect to the Internet. The VPN software
uses the local ISP connections and their public Internet to create a
Virtual Private Network between the branch office router and the
corporate hub router.

Using a Dial - Up line to connect a branch office to a

corporate LAN:
 Rather than having a router at the branch office make
a long distance call to a corporate on outsourced NAS, the router at
the branch office can call the local ISP. The VPN software uses the
connection to office router and the corporate hub router across the
Internet.

Note that in both cases, the facilities that connect the

branch office and corporate office to the Internet are local. The
corporate hub router that acts as a VPN server must be connected to a
local ISP with a dedicated line. This VPN server must listen 24 hours
a day for incoming VPN traffic.

Connecting Computers Over An Internet :

In some corporate Internet works, the department

data is so sensitive that the department's LAN is physically
disconnected from the rest of the corporate Internet work. While this
protects the department's confidential information, which creates
information accessibility problems for those users not physically
connected to the separate LAN.

VPNs allow the department's LAN to be physically

connected to the corporate Internet work but separated by a VPN
server. Note that the VPN server is not acting as a router between the
corporate Internet work and the department LAN. A router would
interconnect the two networks allowing everyone access to the
sensitive LAN. By using a VPN the network administrator can ensure
that only those users on the corporate Internet work who have
appropriate credentials (based on a need to know policy with the
company) can establish a VPN with the VPN server and gain access
to the protected resources of the department.

Additionally, all communications across the VPN can be encrypted

for data confidentiality. Those users who do not have the proper
credentials can not view the department LAN.

Basic Requirements Of VPNs :

Typically when deploying a remote networking

solution an enterprise needs to facilitate controlled access to corporate
resources and information. The solution must allow roaming or
remote clients to connect to corporate to each other to share resources
and information (LAN-to-LAN connections).

Therefore at a minimum a VPN solution should

provide all of the following:
1. User Authentication :

The solution must verify the user's identity and restrict VPN access to
authorized users only. In addition, the solution must provide audit and
accounting records to show who accessed what information when.

2. Address Management :

The solution must assign a clients address on the private net, and must
ensure that the private address are kept private.

3. Data encryption :

Data carried on the public network must be rendered

unreadable to unauthorized clients on the network.

4. Key Management :

The solution must generate and refresh encryption

Keys for the client and server.

5. Multi protocol Support:

The solution must be able to handle common protocols used in the

public network. These include Internet Protocol (IP), internet packet
exchange (IPX) and so on.

5.Tunelling :
Using tunneling can create a VPN. Tunneling is a Technology that
lets a network transport protocol carry information for other protocols
within its own packets.

Tunneling is a method of using an Internet work

infrastructure to transfer data from one network over another network.
The data to be transferred can be frames or packets of another
protocol. Instead of sending a frame ad it is produced by the
originating node, the tunneling protocol encapsulates the frame in an
additional header. The additional header provides routing information
so that the encapsulated payload can traverse the intermediate Internet
work.

The encapsulated packets are then routed between

tunnel end points over the Internet work. The logical path through
which the encapsulated packets travel through the Internet work is
called a tunnel. Once the encapsulate frames reach their entire process
(encapsulation, transmission and encapsulation of packets).

Tunneling Technologies :

1. SNA tunneling over IP Internet works :

When System Network Architecture (SNA) traffic is sent across a
corporate IP Internet work, the SNA frame is encapsulated in a UDP
and IP header.

2. IPX tunneling for Novell Netware over IP Internet

works :

When an IPX packet is sent to a NetWare server or IPX router, server

or router wraps the IPX packet in a UDP and the IP header, and then
sends it across an IP Internet work. The destination IP-to-IPX router
removes the UDP and IP header and forwards the packet to the IPX
destination.

3. Point-to-Point tunneling protocol (PPTP) :

PPTP allows IP, IPX traffic to be encrypted and then encapsulate in

an IP header to be sent across a corporate IP Internet work or a public
IP Internet work such as the Internet work.

4. Layer2 Tunneling Protocol (L2TP) :

L2TP allows IP, IPX traffic to be encrypted and then sent

over any medium that supports point-to-point data gram delivery such
as IPX 25, Frame Relay.

5. IP security (IPSEC) tunnel mode :

IPSEC tunnel mode allows IP payloads to be encrypted and then
encapsulate in an IP header to be sent across a corporate IP Internet
work or a public Internet work such as the Internet.

Tunneling Protocols :

Tunneling technology can be based on either a

Layer2 or Layer3 tunneling protocol. These layers correspond to the
Open Systems Interconnection (OSI) reference model.

· Layer2 protocol corresponds to the data link layer and use

frames as their unit of exchange. PPTP and L2TP and L2F are Layer2
tunneling protocols.

· Layer3 protocols correspond to the network layer and use

packets. IP over IP and IP Security (IPSEC) tunnel mode are
examples of Layer 3 tunneling protocols.

How Tunneling Works:

For Layer2 tunneling terminologies such as PPTP

and L2TP a tunnel is similar to a session. Data transferred across the
tunnel using a datagram based protocol. A tunnel maintenance
protocol is used as a mechanism to manage the tunnel. For layer2
protocols, however a tunnel must be created maintained and then
terminated.

Once the tunnel is established, tunnel data can be

sent. The tunnel client or server uses a tunnel data transfer protocol to
prepare the data to transfer.

For example when the tunnel client sends a payload

to tunnel server, the tunnel client first appends a tunnel data transfer
protocol header to the payload. The client then sends the resulting
encapsulated payload across the Internet work, which routes it to the
tunnel server. The tunnel server accepts the packets, removes the
tunnel data transfer protocol header and forward the payload to the
target network.

6. How VPNs differ from ordinary networks:

VPN differ from ordinary networks in three ways:

1. Virtual Private Networks allow any valid remote user to become

part of a corporate central network, using the same network scheme
and addressing as users on this central network.

2. Each Corporate central network can also be responsible for

validating their own users, despite the fact that they are actually
dialing into a public network.
3. The Internet Service Provider can give each of their customer's a
unique dial-up telephone number, which will distinguish their service
from any other. But this is depends on the software that will be used
by the remote user.

The Need for VPNs:

VPNs aim to give the remote corporate user the same level of access
to corporate computing and data resources as the user would have if
she were physically present at the corporate headquarters. By
reducing the costs of transporting data traffic and by enabling network

connections in locations where they would not be affordable, VPNs

reduce the total cost of ownership of a corporate network.

7.Example use of VPN:

A remote employee wants to connect into the corporate network and

access their company's internal web.

Step 1.

The remote user dials into their local ISP and logs into the
ISP's network as usual.

Step 2.
When connectivity to the corporate network is desired, the user
initiates a tunnel request to the destination Security server on the
corporate network. The Security server authenticates the user and
creates the other end of tunnel.

Step 3.

The user then sends data through the tunnel, which encrypted by the
VPN software before being sent over the ISP connection.

Step 4.

The destination Security server receives the encrypted data and

decrypts. The Security server then forwards the decrypted data
packets onto the corporate network. Any information sent back to the
Remote user is also encrypted before being sent over the Internet.

The figure below illustrates that VPN software can be used from any
location through any existing ISP's dial-in service.

8. Advantages of Virtual Private Network:

· Secure data transmission with Tunneling Protocol through

Internet.
· Cost effectiveness which eliminates long distance charges.

· VPN links are always based on telephone calls, anywhere

around the world resulting in increased performance and productivity.

· VPN using the Internet provides an effective medium for

communication.

· Since communication via the Internet using VPN costs a

fraction of an identical link, more remote units can be interconnected.

9. Disvantages of Virtual Private Network:

Every good thing in the world has some downsides.

Similarly, using a VPN service has some disadvantages. Speed,
performance, and cost. ... Using a VPN service can slow down your
Internet connection's speed because of the processing power required
for encryption.

-VPNs Can Sometimes Slow Down Your Online Speeds

- Using the Wrong VPN Can Put Your Privacy in Danger

- Quality VPNs Will Cost Money

- Not All Devices Natively Support VPNs

Conclusion:

Thus VPN is an outgrowth of the Internet technology, which will

transform the daily method of doing business faster than any other
technology. A Virtual Private Network, or VPN, typically uses the

Internet as the transport backbone to establish secure links with

business partners, extend communications to regional and isolated
offices, and significantly decrease the cost of communications for an
increasingly mobile workforce. VPNs serve as private network
overlays on public IP network infrastructures such as the Internet.

References:

www.infiworld.com
www.seminars.com
www.altavista.com