Learning to Live and Work with Virtual Private Networks Richard Perlman [email protected] CEENET #6...

Learning to Live and Work with Learning to Live and Work with

Virtual Private NetworksVirtual Private Networks

Richard Perlman [email protected]

CEENET #6Budapest Hungary

CEENET #6 - Introduction to VPNs1.2

Tunneling DefinedTunneling Defined

Creating a transparent virtual network link between two network nodes that is unaffected by physical network links and devices.


Tunneling ExplainedTunneling Explained

Tunneling is encapsulating one protocol in another

Tunnels provide routable transport for unroutable packets encrypted, illegal addressing, non-

supported

Tunneling itself provides no security


Tunneling IllustratedTunneling Illustrated



LANA

LANB



Router A

Workstation X

Router BWorkstation

Y

Original IPpacket dest Y

Step 1.Original, unroutable

IP Packet sent to router

Step 2Original IP

packetencapsulatedin another IP

packetOriginal IP

packetNew IPPacket

Tunnel

Step 3Original packetextracted, sentto destination

Original IPpacket dest Y

Tunnel


Virtual Private Networks (VPN)Virtual Private Networks (VPN)

What is a VPN? A means of augmenting a shared

network on a secure basis through encryption

and/or tunneling Tunnels created between endpoints

for transporting data securely across public networks

Benefits Leverages existing Service Provider

infrastructure for private data communications

Cost savings


What Is an IP VPN ?What Is an IP VPN ?

Emulate a private network over a shared IP network …..

Why IP ? Service Differentiation, Global Connectivity, Flexibility,

Platform for fast growing new services (e.g E Commerce)

Shared IP Network

BranchOffices

CorporateHeadquarters

Customers,Suppliers

RemoteWorkers

Internet


Types of IP VPN ServicesTypes of IP VPN Services

Service optionsService options Applications : Dial, Intranet, Extranet QoS : End to end guarantees,

service differentiation, best effort Security : Network based, user based Infrastructure : Internet, IP, ATM, MPLS

Where is the VPNIntelligence

Who Owns the VPN Service Provider Enterprise

Customer Premise Managed CPE IPVPN

Enterprise IP VPN

Service ProviderNetwork

Network Based IPVPN

-


One way to communicate…One way to communicate…

Router CSU/DSU

LA

N

LA

N

Firewall

LA

N

Web SitesNew YorkHQ

Tokyo

London

CSU/DSU

Router

Firewall

CSU/DSURouter

PSTN (Dial)or Dedicated Line

Remote AccessServer

Internet

CSU/DSU

Firewall

Remote AccessServer


Another view of network possibilities... Another view of network possibilities...

A Virtual Private NetworkA Virtual Private Network

InternetRouterw/L2TP

CSU/DSU

LA

N

LA

N

Firewall

LA

N

Web SitesNew York

Tokyo

London

Remote Clients

CSU/DSU

Routerw/L2TP

Firewall

CSU/DSU

Routerw/L2TP


Internet as Backbone: Dial-UpInternet as Backbone: Dial-Up

VPN Gateway

Private Network

Secure Tunnel

Remote Userwith VPN Software

Internet/ISP Network

Hacker


Internet as Backbone: Branch Internet as Backbone: Branch OfficesOffices

VPN Gateway

Private Network

VPN Router

Internet/ISP Network

Branch Office

Secure Tunnel


Shared Dial NetworkingShared Dial Networking

Mobile Employee

Shared Service Provider Network

TunneledTraffic

Private Network

IAGVPN Gateway

TelecommuterIAG

ContractorIAG


Virtual Private NetworksVirtual Private Networks

VPN Gateway

PrivateServers

Virtual PrivateDial-Up

Shared Network

Tunnels

Extends private network boundary across a shared network using tunneling technology

InternalUsers

VPN Gateway

IAG

Virtual PrivateDial-Up


Types of TunnelsTypes of Tunnels

Two basic types of tunnels Voluntary tunnels

Tunneling initiated by the end-user

(Requires client software on remote

computer)

Compulsory tunnels

Tunnel is created by NAS or router

(Tunneling support required on NAS or

Router)


Voluntary TunnelsVoluntary Tunnels

Will work with any network device Tunneling transparent to leaf and

intermediate devices But user must have a tunneling

client compatible with tunnel server PPTP, L2TP, L2F, IPSEC, IP-IP, etc.

Simultaneous access to Intranet (via tunnel) and Internet possible Employees can use personal accounts for

corporate access Remote office applications

Dial-up VPN’s for low traffic volumes


A Voluntary PPTP TunnelA Voluntary PPTP Tunnel

Dial IP Access

PPP access protocol

Dial Access Provider VPN Service

Dial AccessServer

PPTP AccessServerClient Host Serial Interface

PPTP Virtual Interface


Compulsory TunnelsCompulsory Tunnels

Will work with any client But NAS must support same tunnel

methodBut… Tunneling transparent to intermediate

routers Network access controlled by

tunnel server User traffic can only travel through tunnel Internet access possible

Must be by pre-defined facilities Greater control Can be monitored


Compulsory TunnelsCompulsory Tunnels

Static Tunnels All calls from a given NAS/Router

tunneled to a given server

Realm-based tunnels Each tunnel based on information in NAI

(I.e. user@realm)

User-based tunnels Calls tunneled based on userID data

stored in authentication system


A Compulsory L2TP TunnelA Compulsory L2TP Tunnel

L2TPV.x modem protocol

PPP access protocol

Dial Access Provider Internet or VPN Service

Non-routedforwarding path

Dial AccessServer

L2TP AccessServerClient Host


RADIUS Support for TunnelsRADIUS Support for Tunnels

Can define tunnel type Can define/limit tunnel end points Allows tunnel configuration to be

based on Calling-Station-ID or Called-Station-ID

Additional accounting information Tunnel end points Tunnel ID, etc.


RADIUS Dial Up SecurityRADIUS Dial Up Security

Remote User

User Login

Private Network

Authenticates dial in users at boundary of private network

RADIUS Protocol

Boundary

Hacker

RADIUSServer

RAS


Protocol ComparisonProtocol Comparison

PPTP L2TP IPSEC

Authenticated Tunnels X X

Compression X X X

Smart Cards X X

Address Allocation X X

Multiprotocol X X

Strong Encryption X

Flow Control X

Requires Server X X


Virtual Private Networks Virtual Private Networks via the via the

Layer Two Tunneling Protocol Layer Two Tunneling Protocol (L2TP)(L2TP)


L2TP Building BlocksL2TP Building Blocks

L2TP Access Concentrator (LAC)– Typically attached to the switched network

fabric, such as public switched telephone network (PSTN)

– Only needs to implement the media, over which L2TP operates in order to pass traffic to one or more LNS's

– Typically the initiator of incoming calls and the receiver of outgoing calls


L2TP Building Blocks (Con’t-)L2TP Building Blocks (Con’t-)

L2TP Network Server (LNS)– Operates on any platform capable of PPP

termination

– Handles the server side of the L2TP protocol scalability is critical

– Able to terminate calls arriving at any LAC's full range of PPP interfaces (async, ISDN, PPP over ATM, PPP over Frame Relay)

– The initiator of outgoing calls

– The receiver of incoming calls


RADIUS

Remote,Telecommuter Employees

LAC

Analog

ISDN

LNS

Corporate Network/ Servers

= L2TP Encapsulated Tunnel

Service Provider Customer Premise

Equipment

RADIUS

L2TP VPN in the NetworkL2TP VPN in the Network

PSTN

Internet,Frame Relay,ATM Network


How Does a L2TP How Does a L2TP VPN Device Work?VPN Device Work?

Service provider provides remote access outsourcing services to utilize idle network infrastructure and provide their customers with the cost savings of using a public network like the Internet

The customer wants to connect their remote branch offices and telecommuters to Corporate HQ servers


• STEP 1– Remote users/telecommuters/branch offices initiate a session

or call into a L2TP Access Concentrator (LAC) device


RADIUS

Remote, TelecommuterEmployees

LAC

Analog

ISDN

LNSCorporate Network/Servers

Service Provider CPE

RADIUS

STEP 1


PSTN


• STEP 2– The LAC sends an authentication request to a RADIUS Server,

which will authenticate the call and generate configuration information about the creation, type of L2TP tunnel and end point of the tunnel

STEP 2


RADIUS


LAC

Analog

ISDN



RADIUS


PSTN


• STEP 3– Tunnel creation information is sent to the LAC which

encapsulates the users PPP Frames and tunnels them over the network to the LNS device.

STEP 3


RADIUS


LAC

Analog

ISDN


Service ProviderCPE

RADIUS


PSTN


• STEP 4 – LNS serves as termination point where the encapsulated

L2TP frame is stripped and processed. The PPP Frame is then passed on to higher layer protocols and users on the local area network.

STEP 4


RADIUS


LAC

Analog

ISDN



RADIUS


PSTN


VPN Questions and Answers(FAQs)


Q: What is a virtual private Q: What is a virtual private network? network?

A VPN gives users a secure way to access or link corporate network resources over the Internet or other public or private networks.


Q: What are the elements to a VPN? Q: What are the elements to a VPN?

VPNs typically include a number of security features including encryption, authentication, and tunneling.

VPN software may be included on laptops and network workstations and servers or may be included with routers and remote access servers


Q: How do companies use VPNs? Q: How do companies use VPNs?

I place of traditional dial-up connections to provide access to remote users and telecommuters

To connect LANs in different sites instead of using the public switched telephone network or dedicated leased lines

To give customers, clients and consultants access to corporate resources.


Q: Is a VPN the same thing as Q: Is a VPN the same thing as an extranet? an extranet?

No. Most VPNs can be designed to work as an extranet. But not all extranets are VPNs.


Q: Then what is an extranet? Q: Then what is an extranet?

Extranet is a general term than can mean many different things. The common definition of an extranet is a type of network that gives outside users, such as customers, clients and consultants, access to data residing on a corporation's network. Users access the data through a Web brows er over the Internet and typically need to enter a user name and password before access to the data is granted.


Q: How is this different from a Q: How is this different from a VPN? VPN?

A VPN can be used in a similar manner, but typically a VPN has much higher security associated with it. Specifically, a VPN typically requires the establishment of a tunnel into the corporate network and the encryption of data passed between the user's PC and corporate servers.


Q: Why bother with a VPN, aren't there other Q: Why bother with a VPN, aren't there other ways to give users secure access to network ways to give users secure access to network

resources?resources?

There are different ways to control access and provide secure access to network resources. A VPN is just one of those ways.

However, a well implemented VPN is transparent to the user and should require no special skills or knowledge to use


Q: What are other methods for accessing Q: What are other methods for accessing network resources over the Internet?network resources over the Internet?

Depending on the level of security needed, a company could choose to use an extranet approach or a customized approach that combines password protection of network servers with third-party auth entication systems.


Q: Why do companies use VPNs? Q: Why do companies use VPNs?

There are many reasons to use a VPN. The most common reasons are (1) to save telecommunications costs by using the Internet to carry traffic (rather than paying long distance phone charges)(2) to save telecommunications costs by reducing the number of access lines into a corporate site, and (3) to save operational costs by outsourcing the management of remote access equipment to a service provider.


Q: How does a VPN cut long Q: How does a VPN cut long distance phone charges? distance phone charges?

Long distance phone charges are reduced with a VPN because a user typically dials a local call to an ISP rather than placing a long distance or international call directly to his or her company.


Q: How do VPNs help reduce the Q: How do VPNs help reduce the number of access lines. number of access lines.

Many companies pay monthly charges for two types access lines: (1) high-speed links for their Internet access(2) frame relay, ISDN Primary Rate Interface or T1 lines to carry data . A VPN may allow a company to carry the data traffic over its Internet access lines, thus reducing the need for some installed lines.


Q: How can a VPN save operational Q: How can a VPN save operational costs? costs?

Some companies hope to save operational costs by outsourcing their remote access to an ISP or other type of service provider. The idea is that by giving users access to the network via a VPN, a company can get rid of its modem pools and remote access servers. The operational cost savings come from not having to manage those devices.


Performance Issues Performance Issues


Q: What about VPN performance? Q: What about VPN performance?

There are several issues to consider when exploring VPN performance. Some are related to the Internet itself. Is it available? What is the latency for packets traveling across the network? Other performance issues are related to the specific VPN applications.

In general, VPNs implemented over the public Internet will have poorer performance than VPNs implemented over private IP networks.


Q: What are the concerns about Q: What are the concerns about network availability? network availability?

The Internet occasionally experiences outages. For example, in 1997 there was a system-wide availability problem when a corrupted master list of Domain Names was distributed to the handful of root servers that are the heart of the Internet. More frequently, a particular Internet service provider may experience equipment problems leading to a service outage that can last from hours to days.


Q: What can be done to ease concerns Q: What can be done to ease concerns about network availability?about network availability?

Many service providers are trying to improve the reliability of their networks to prevent outages. While they cannot guarantee 100 percent availability, many providers are offering service level agreements that offer credits or refunds if network availability falls below a certain level.


Q: How good are the network availability Q: How good are the network availability service level agreements (SLAs)?service level agreements (SLAs)?

Most of the service providers with nation-wide backbones guarantee the network will be available at least 99.6 percent of the time. That translates into a maximum outage time of about 6 .5 minutes a day before the refund or credits kick in. Some offer higher availability with refunds or credits kicking in for outages of 3 minutes per day or longer.


Q: What are the short-comings of Q: What are the short-comings of these SLAs? these SLAs?

All VPN SLAs offered today only apply to the specific service provider's network. If the traffic crosses from one provider's network to another, the SLAs do not apply.


Q: What about latency? Q: What about latency?

To date, there are no VPN SLAs that address latency. The service providers say they will need a number of things, like the ability to offer quality of service guarantees, to happen before latency SLAs will be offered.


Q: Are there other issues that will Q: Are there other issues that will prevent latency-related VPN SLAs?prevent latency-related VPN SLAs?

Yes. IT managers will not see end-to-end latency SLAs for VPNs as they get for other services such as a Frame Relay service that carriers time-sensitive SNA terminal to host traffic. One of the reasons end-to-end latency SLAs will not be practical for VPN s is that there are many variables, such as the type of encryption used and the client's process power, that determine end-to-end performance in VPN applications.


VPN Technology Questions VPN Technology Questions


Q: What are the common Q: What are the common tunneling protocols? tunneling protocols?

There are currently three major tunneling protocols for VPNs. They are: Point-to-Point Tunneling Protocol (PPTP) Internet Protocol Security (IPSec) Layer 2 Tunneling Protocol (L2TP)

Two proprietary protocols often seen are: Ascend’s ATMP Cisco’s L2F


Q: What types of encryption can Q: What types of encryption can be used in VPN applications. be used in VPN applications.

Virtually all of the common encryption technologies can be used in a VPN. Most VPN equipment vendors give the user a choice. IT managers can often select anything from the 40-bit built-in encryption offered by Microsoft under Windows 95 to more robust, but less exportable, encryption technologies like triple-DES.


Q: How are VPN users Q: How are VPN users authenticated? authenticated?

VPN vendors support a number of different authentication methods. Many vendors now support a wide range of authentication techniques and products including such services as RADIUS, Kerberos, token cards, NDS, NT Domain, and software and hardware-based dynamic passwords.


Q: Can user access and authentication be Q: Can user access and authentication be

linked to existing access control systems?linked to existing access control systems?

Yes. Some vendors, such as Lucent, support existing standards like RADIUS.

Other VPN vendors, notably Aventail, Novell, and New Oak Communications, provide ways to link VPN access rights to defined access rights such as those in Windows NT Workgroup lists, Novell Directory Services or Binderies.


Net 10.x.1.0 Net 10.x.2.0

RADIUS Server10.x.2.3

Telnet Server10.x.2.5

Router

LNS

LAC

L2TP Tunnel Lab Diagram

10.x.1.1 10.x.2.1

USERDBThis RADIUS server is used

to select the LNS based on the DNIS, Realm or other

information

Workstation10.x.2.128

Net 10.x.2.0

$

This RADIUS server is used to authenticate the user

Terminal Server10.x.1.2


L2TP Tunnel Lab Diagram

Net 10.x.2.0

LNS

USERDB

Net 10.x.1.0

LAC

Net 10.x.2.0

$

Learning to Live and Work with Virtual Private Networks Richard Perlman [email protected] CEENET #6...

Documents

Transcript of Learning to Live and Work with Virtual Private Networks Richard Perlman [email protected] CEENET #6...