1© J. Liebeherr, All rights reserved

Virtual Private Networks

2© J. Liebeherr, All rights reserved 10/22/05

Goal of VPN

• The goal of a Virtual Private Network (VPN) is to provide private communications within the public Internet Infrastructure

• VPNs apply various networking technologies to achieve the goal

• The basic concepts: – Build a virtual overlay network that is run on top of the infrastructure of

the Internet– “Virtual” means that there is not new infrastructure– Connect private networks by the overlay networks

3© J. Liebeherr, All rights reserved 10/22/05

Why is there a need for VPN?

• Internet has insufficient security mechanisms– IP packets are not authenticated or encrypted– Users with access to network can read content of IP traffic

• Application layer solutions not always suitable– Secure Web access, secure mail clients, secure file

transfer, and secure terminal applications are only point-to-point solutions and assume client/server relationship

– Application-layer solutions require that each application is protected in isolation Does not secure networks

4© J. Liebeherr, All rights reserved 10/22/05

VPN Overlay Network

PrivateIntranet

Private Intranet

Private Intranet VPN

Router

Public Internet VPN Router

IP-in-IP tunnel

VPN Router

VPN Router

5© J. Liebeherr, All rights reserved 10/22/05

Tunneling

• VPN routers connect via IP tunnels• With tunneling, IP packets are encapsulated by another IP header (IP-in-IP encapsulation)

Routerin Public Internet

VPN RouterVPN Router

PayloadIP

headerIP

header

Payload of IPv4 header

PayloadIP

headerPayload

IPheader

IPheader

Payload of IPv4 header

PayloadIP

header

PayloadIP

headerPayload

IP headerIP-in-IP Tunnel

6© J. Liebeherr, All rights reserved 10/22/05

VPN Security

• VPNs use many security mechanisms

– Authentication: Identify VPN users and devices– Access control: Ensure authorized use of VPN

resources– Data security: Use cryptography to obscure

content transmitted over VPN

7© J. Liebeherr, All rights reserved 10/22/05

Components of a VPN Solution

VPN Gateway: • Located at the corporate network

perimeter, the gateway performs tunneling, authentication, access control, and data security.

• Sometimes, VPN gateway functions can be integrated in to a router or firewall

VPN Client: • Software used for remote VPN

access • Creates a secure path from a

remote client computer to a VPN gateway

PublicNetwork

Private Network

VPN Gateway

PublicNetwork

Private Network

VPN Gateway

8© J. Liebeherr, All rights reserved 10/22/05

VPN Architectures

• VPN architectures can be separated into three scenarios:

1. Site-to-Site Intranet VPN: – Multiple network sites at different locations within the

same organization are connected using a VPN to form a larger corporate network

2. Remote Access VPN:– Connect a single remote device to a corporate

intranetwork3. Extranet VPN:

– Network resources within a corporate nework are oppend for access for dedicated purposes

9© J. Liebeherr, All rights reserved 10/22/05

Site-to-Site Intranet VPN

Intranet

Intranet

Intranet VPN Gateway

Public Internet

VPN Gateway

VPN tunnel

VPN Gateway

• VPN tunnels establish secure communication links

10© J. Liebeherr, All rights reserved 10/22/05

Remote Access VPN

Intranet

VPN Gateway

Public Internet

VPN tunnelWiFi

Access Point

Cable Modem

• Also called: Virtual Private Dial Network (VPDN)

11© J. Liebeherr, All rights reserved 10/22/05

Extranet VPN

Public Internet

Intranet

VPN GatewayVPN tunnel

Cable Modem

Customer Access

Partner Access

Partnernetwork

VPN Gateway

12© J. Liebeherr, All rights reserved 10/22/05

VPN Tunneling Protocols

• Role of VPN tunnels:

1. Encapsulation of messages

2. Privately address packets through public infrastructure

3. Provide data integrity and confidentiality

– Layer-2 tunneling protocols carry Point-to-Point (PPP) frames through IP networks

– PPP:– PPP is used to send IP packets

over serial connections– Used extensively for point-to-point

data links (dial-in)– Can provide authentication

7E

flag

1

FF

addr

1

03

ctrl

1 2

protocol

<= 1500

data

2

CRC

7E

flag

1

0021 IP datagram

PPP frame

13© J. Liebeherr, All rights reserved 10/22/05

Layer-2 Tunneling Protocol

• Developed to facilitate PPP access by remote computers to a private network over an IP-based network

Remote Dial-in:• Remote Access Service (RAS)

provides banks of phone lines for connecting remote users

• Remote system calls up and establishes PPP connection to RAS service

With Layer-2 tunneling:• Approach: Tunnel PPP packets

through Internet• Access concentrator (possibly inside

the remote system) encapsulates PPP frames

• Network server terminates VPN tunnel

Intranet Telephone Network

RAS Server

PPP Connection

Intranet Internet

NetworkServer

PPP Connection

Access Concentrator

Tunnel

14© J. Liebeherr, All rights reserved 10/22/05

Layer-2 Tunneling Protocols

Point-to-Point Tunneling Protocol (PPTP):– Developed by Microsoft, 3Com, US Robotics, and others

– Goal: Provide VPN between remote access users and network servers

– Approach: Tunneling on client systems

Layer-2 Forwarding Protocol (L2F):– Developed by Cisco, Nortel and others

– Virtual dial-up protocol for managed networks

– Approach: Tunneling is performed as a network service (not by client)

Layer-2 Tunneling Protocol (L2TP):– Developed within the IETF

– Combines concepts of PPTP and L2F

15© J. Liebeherr, All rights reserved 10/22/05

Remote Dial-in Layer-2 Tunneling Protocol

Assumes the Layer-2 tunneling protocol PPTP:• User does remote dial-in to ISP and establishes PPP connection• Establish a (TCP) connection to set up a control channel• Establish a PPTP tunnel • Establish PPP tunnel that sends PPP frames over the PPTP tunnel• IP packets are carried in PPP frames

Intranet Internet

NetworkServer

PPTP Control channel

PPP

ISP NetworkServer

PPTP Tunnel

PPP

IP

16© J. Liebeherr, All rights reserved 10/22/05

Encapsulation at remote client

Intranet Internet

NetworkServer

PPTP Control channel

PPP

ISP NetworkServer

PPTP Tunnel

PPP

IP

PayloadIP header Original IP packet

PayloadIP header PPP encapsulation to remote Network ServerPPP

PayloadIP header GRE header is used by PPTPPPPGRE header

PayloadIP header IP header for public InternetPPPGRE headerIP header

PayloadIP header PPP encapsulation to ISP Network ServerPPPGRE headerIP headerPPP

17© J. Liebeherr, All rights reserved 10/22/05

Other VPN approaches

IPSec: – Protocol suite for secure communications at Layer-3 – Consists of security headers and a set of protocols– Originally designed for IPv6– Performs services for authentication, integrity, confidentifality– Can perform tunneling of IP datagrams

MPLS: – LSPs can provide data link connections between remote networks– Builds on isolation of LSPs in the MPLS networkConsists of security headers

and a set of protocolsSSH/PPP:

– Secure Shell (SSH) is a provides secure access to remote hosts.– Assumes client/server relationship– Intended as a replacement for insecure protocols such as Telnet, rsh, etc.– VPN services can be built by creating a PPP connection within a SSH

connection