VPN (virtual private network)

VPN (Virtual Private Network)

A VPN (Virtual Private Network) extends a private network across a public network, such as the

Internet.

A VPN is a network that uses a public telecommunication infrastructure, such as the Internet, to provide

remote offices or individual users with secure access to their organization's network. A VPN ensures

privacy through security procedures and tunneling protocols such as the Layer Two Tunneling Protocol

(L2TP). Data is encrypted at the sending end and decrypted at the receiving end.

A VPN connection across the Internet is similar to a wide area network (WAN) link between websites.

From a user perspective, the extended network resources are accessed in the same way as resources

available within the private network. One major limitation of traditional VPNs is that they are point-to-

point, and do not tend to support or connect broadcast domains. Therefore communication, software,

and networking, which are based on layer 2 and broadcast packets, such as NetBIOS used in Windows

networking, may not be fully supported or work exactly as they would on a real LAN. Variants on VPN,

such as Virtual Private LAN Service (VPLS), and layer 2 tunneling protocols, are designed to overcome

this limitation.

VPNs allow employees to securely access their company's intranet while traveling outside the office.

Similarly, VPNs securely connect geographically separated offices of an organization, creating one

cohesive network. VPN technology is also used by individual Internet users to secure their wireless

transactions, to circumvent geo restrictions and censorship, and to connect to proxy servers for the

purpose of protecting personal identity and location.

Figure 1 what is VPN?


A well-designed VPN can greatly benefit a company. For example, it can:

1. Extend geographic connectivity

2. Reduce operational costs versus traditional WANs

3. Reduce transit times and traveling costs for remote users

4. Improve productivity

5. Simplify network topology

6. Provide global networking opportunities

7. Provide telecommuter support

8. Provide faster Return On Investment (ROI) than traditional WAN

What features are needed in a well-designed VPN? It should incorporate these items:

1. Security

2. Reliability

3. Scalability

4. Network Management

5. Policy Management

6. Security mechanisms

To prevent disclosure of private information, VPNs typically allow only authenticated remote access and

make use of encryption techniques.

VPNs provide security by the use of tunneling protocols and through security procedures such as

encryption.

The VPN security model provides:

1. Confidentiality such that even if the network traffic is sniffed at the packet level (see network

sniffer and Deep packet inspection), an attacker would only see encrypted data.

2. Sender authentication to prevent unauthorized users from accessing the VPN.

3. Message integrity to detect any instances of tampering with transmitted messages.

Secure VPN protocols include the following:

1. Internet Protocol Security (IPsec) as initially developed by the Internet Engineering Task Force

(IETF) for IPv6, which was required in all standards-compliant implementations of IPv6 before

RFC 6434 made it only a recommendation. This standards-based security protocol is also widely

used with IPv4 and the Layer 2 Tunneling Protocol. Its design meets most security goals:

authentication, integrity, and confidentiality. IPsec uses encryption, encapsulating an IP packet

inside an IPsec packet. De-encapsulation happens at the end of the tunnel, where the original IP

packet is decrypted and forwarded to its intended destination.


2. Transport Layer Security (SSL/TLS) can tunnel an entire network's traffic (as it does in the

OpenVPN project and SoftEther VPN project) or secure an individual connection. A number of

vendors provide remote-access VPN capabilities through SSL. An SSL VPN can connect from

locations where IPsec runs into trouble with Network Address Translation and firewall rules.

3. Datagram Transport Layer Security (DTLS)- Used in Cisco AnyConnect VPN and in OpenConnect

VPN to solve the issues SSL/TLS has with tunneling over UDP.

4. Microsoft Point-to-Point Encryption (MPPE) works with the Point-to-Point Tunneling Protocol

and in several compatible implementations on other platforms.

5. Microsoft Secure Socket Tunneling Protocol (SSTP) tunnels Point-to-Point Protocol (PPP) or Layer

2 Tunneling Protocol traffic through an SSL 3.0 channel. (SSTP was introduced in Windows Server

2008 and in Windows Vista Service Pack 1

6. Multi Path Virtual Private Network (MPVPN). Ragula Systems Development Company owns the

registered trademark "MPVPN".

7. Secure Shell (SSH) VPN- OpenSSH offers VPN tunneling (distinct from port forwarding) to secure

remote connections to a network or to inter-network links. OpenSSH server provides a limited

number of concurrent tunnels. The VPN feature itself does not support personal authentication.

Authentication

Tunnel endpoints must be authenticated before secure VPN tunnels can be established. User-created

remote-access VPNs may use passwords, biometrics, two-factor authentication or other cryptographic

methods. Network-to-network tunnels often use passwords or digital certificates. They permanently

store the key to allow the tunnel to establish automatically, without intervention from the user.

Types of VPN

Site-to-site VPN

Figure 2 Site to Site VPN VPN


Often abbreviated to S2SVPN. It’s a connection between two sites and encrypts all traffic between two

(or multiple) subnets. There are two types of S2SVPN:

1. Policy-based: interesting traffic triggers an ACL and is encrypted and sent to the remote VPN

peer.

2. Routed: traffic is routed into an encrypted tunnel to the remote VPN peer.

DMVPN (Dynamic Multipoint VPN)

A Dynamic Multipoint VPN is not a protocol but more a technique using different protocols. One or

more central hub routers are required, but the remote (spoke) routers can have dynamic IPs and more

can be added without having to modify the configuration on the hub router(s), or any other spoke

routers. The routers use a next-hop resolution protocol, combined with a dynamic routing protocol to

discover remote peers and subnets. The VPN itself is a mGRE tunnel (GRE with multiple endpoints)

which is encrypted. This way, traffic between spoke routers does not have to go through the hub router

but can be sent directly from spoke to spoke.

Client VPN

A Client VPN is an encrypted connection from one device towards a VPN router. It makes that one

remote device appear as a member of a local subnet behind the VPN router. Traffic is tunneled from the

device (usually a computer or laptop of a teleworker) towards the VPN router so that user has access to

resources inside the company. It requires client software that needs to be installed and configured.

Figure 3 DMVPN (Dynamic Multipoint VPN)

Figure 4 Client VPN


SSLVPN

This type of VPN works like a client VPN. The difference is that the remote client does not need

preconfigured software, but instead the browser acts as VPN software. The browser needs to support

active content, which every modern browser supports, either directly or through a plug-in. Traffic is

tunneled over SSL (or TLS) to the SSLVPN router. From a networking perspective, traffic is tunneled over

layer 4 instead of layer 3. The benefit is that the remote user does not need to configure anything and

can simply log in to a web page to start the tunnel. The drawback that you’ll likely need a dedicated

device as SSLVPN endpoint because this is not a standard feature.

Protocols?

For secure VPNs:

1. General IPsec

2. ESP and AH (encryption and authentication headers)

3. Key exchange (ISAKMP, IKE, and others)

4. Cryptographic algorithms

5. IPsec policy handling

6. Remote access

7. SSL and TLS

For trusted VPNs:

1. General MPLS

2. MPLS constrained by BGP routing

3. Transport of layer 2 frames over MPLS

How VPNs Work?

When planning or extending a VPN, though, you should consider the following equipment:

1. Network Access Server- As previously described, a NAS is responsible for setting up and

maintaining each tunnel in a remote-access VPN.

Figure 5 SSLVPN


2. Firewall- A firewall provides a strong barrier between your private network and the Internet. IT

staff can set firewalls to restrict what type of traffic can pass through from the Internet onto a

LAN, and on what TCP and UDP ports. Even without a VPN, a LAN should include a firewall to

help protect against malicious Internet traffic.

3. AAA Server- The acronym stands for the server's three responsibilities: authentication,

authorization and accounting. For each VPN connection, the AAA server confirms who you are

(authentication), identifies what you're allowed to access over the connection (authorization)

and tracks what you do while you're logged in (accounting).

One widely used standard for AAA servers is Remote Authentication Dial-in User Service (RADIUS).

Despite its name, RADIUS isn't just for dial-up users. When a RADIUS server is part of a VPN, it handles

authentication for all connections coming through the VPN's NAS.

VPN components can run alongside other software on a shared server, but this is not typical, and it

could put the security and reliability of the VPN at risk. A small business that isn't outsourcing its VPN

services might deploy firewall and RADIUS software on generic servers. However, as a business's VPN

needs increase, so does its need for equipment that's optimized for the VPN. The following are

dedicated VPN devices a business can add to its network. You can purchase these devices from

companies that produce network equipment, such as Cisco:

1. VPN Concentrator- This device replaces an AAA server installed on a generic server. The

hardware and software work together to establish VPN tunnels and handle large numbers of

simultaneous connections.

2. VPN-enabled/VPN-optimized Router- This is a typical router that delegates traffic on a network,

but with the added feature of routing traffic using protocols specific to VPNs.

3. VPN-enabled Firewall- This is a conventional firewall protecting traffic between networks, but

with the added feature of managing traffic using protocols specific to VPNs.

4. VPN Client- This is software running on a dedicated device that acts as the tunnel interface for

multiple connections. This setup spares each computer from having to run its own VPN client

software.

VPN Technologies

A well-designed VPN uses several methods in order to keep your connection and data secure.

Data Confidentiality- This is perhaps the most important service provided by any VPN implementation.

Since your private data travels over a public network, data confidentiality is vital and can be attained by


encrypting the data. This is the process of taking all the data that one computer is sending to another

and encoding it into a form that only the other computer will be able to decode.

Most VPNs use one of these protocols to provide encryption.

IPsec- Internet Protocol Security Protocol (IPsec) provides enhanced security features such as stronger

encryption algorithms and more comprehensive authentication. IPsec has two encryption modes: tunnel

and transport. Tunnel mode encrypts the header and the payload of each packet while transport mode

only encrypts the payload. Only systems that are IPsec-compliant can take advantage of this protocol.

Also, all devices must use a common key or certificate and must have very similar security policies set

up.

For remote-access VPN users, some form of third-party software package provides the connection and

encryption on the users PC. IPsec supports either 56-bit (single DES) or 168-bit (triple-DES) encryption.

PPTP/MPPE- PPTP was created by the PPTP Forum, a consortium which includes US Robotics, Microsoft,

3COM, Ascend, and ECI Telematics. PPTP supports multi-protocol VPNs, with 40-bit and 128-bit

encryption using a protocol called Microsoft Point-to-Point Encryption (MPPE). It is important to note

that PPTP by itself does not provide data encryption.

L2TP/IPsec- Commonly called L2TP over IPsec, this provides the security of the IPsec protocol over the

tunneling of Layer 2 Tunneling Protocol (L2TP). L2TP is the product of a partnership between the

members of the PPTP forum, Cisco, and the Internet Engineering Task Force (IETF). Primarily used for

remote-access VPNs with Windows 2000 operating systems, since Windows 2000 provides a native

IPsec and L2TP client. Internet Service Providers can also provide L2TP connections for dial-in users, and

then encrypt that traffic with IPsec between their access-point and the remote office network server.

Data Integrity- While it is important that your data is encrypted over a public network, it is just as

important to verify that it has not been changed while in transit. For example, IPsec has a mechanism to

ensure that the encrypted portion of the packet, or the entire header and data portion of the packet,

has not been tampered with. If tampering is detected, the packet is dropped. Data integrity can also

involve authenticating the remote peer.

Data Origin Authentication- It is extremely important to verify the identity of the source of the data that

is sent. This is necessary to guard against a number of attacks that depend on spoofing the identity of

the sender.

Anti-Replay- This is the ability to detect and reject replayed packets and helps prevent spoofing.

Data Tunneling/Traffic Flow Confidentiality- Tunneling is the process of encapsulating an entire packet

within another packet and sending it over a network. Data tunneling is helpful in cases where it is

desirable to hide the identity of the device originating the traffic. For example, a single device that uses

IPsec encapsulates traffic that belongs to a number of hosts behind it and adds its own header on top of

the existing packets. By encrypting the original packet and header (and routing the packet based on the


additional layer 3 header added on top), the tunneling device effectively hides the actual source of the

packet. Only the trusted peer is able to determine the true source, after it strips away the additional

header and decrypts the original header. As noted in RFC 2401 leavingcisco.com, "...disclosure of the

external characteristics of communication also can be a concern in some circumstances. Traffic flow

confidentiality is the service that addresses this latter concern by concealing source and destination

addresses, message length, or frequency of communication. In the IPsec context, using ESP in tunnel

mode, especially at a security gateway, can provide some level of traffic flow confidentiality."

All the encryption protocols listed here also use tunneling as a means to transfer the encrypted data

across the public network. It is important to realize that tunneling, by itself, does not provide data

security. The original packet is merely encapsulated inside another protocol and might still be visible

with a packet-capture device if not encrypted. It is mentioned here, however, since it is an integral part

of how VPNs function.

Tunneling requires three different protocols

1. Passenger protocol- The original data (IPX, NetBeui, IP) that is carried.

2. Encapsulating protocol- The protocol (GRE, IPsec, L2F, PPTP, L2TP) that is wrapped around the

original data.

3. Carrier protocol- The protocol used by the network over which the information is traveling.

The original packet (Passenger protocol) is encapsulated inside the encapsulating protocol, which is then

put inside the carrier protocol's header (usually IP) for transmission over the public network. Note that

the encapsulating protocol also quite often carries out the encryption of the data. Protocols such as IPX

and NetBeui, which would normally not be transferred across the Internet, can safely and securely be

transmitted.

For site-to-site VPNs, the encapsulating protocol is usually IPsec or Generic Routing Encapsulation (GRE).

GRE includes information on what type of packet you are encapsulating and information about the

connection between the client and server.

For remote-access VPNs, tunneling normally takes place using Point-to-Point Protocol (PPP). Part of the

TCP/IP stack, PPP is the carrier for other IP protocols when communicating over the network between

the host computer and a remote system. PPP tunneling will use one of PPTP, L2TP or Cisco's Layer 2

Forwarding (L2F).

AAA- Authentication, authorization, and accounting is used for more secure access in a remote-access

VPN environment. Without user authentication, anyone who sits at a laptop/PC with pre-configured

VPN client software can establish a secure connection into the remote network. With user

authentication however, a valid username and password also has to be entered before the connection is

completed. Usernames and passwords can be stored on the VPN termination device itself, or on an

external AAA server, which can provide authentication to numerous other databases such as Windows

NT, Novell, LDAP, and so on.


When a request to establish a tunnel comes in from a dial-up client, the VPN device prompts for a

username and password. This can then be authenticated locally or sent to the external AAA server,

which checks:

Who you are (Authentication)

What you are allowed to do (Authorization)

What you actually do (Accounting)

The Accounting information is especially useful for tracking client use for security auditing, billing or

reporting purposes.

Nonrepudiation- In certain data transfers, especially those related to financial transactions,

nonrepudiation is a highly desirable feature. This is helpful in preventing situations where one end

denies having taken part in a transaction. Much like a bank requires your signature before honoring your

check, nonrepudiation works by attaching a digital signature to the sent message, thus precluding the

possibility of sender denying participation in the transaction.

A number of protocols exist that can be used to build a VPN solution. All of these protocols provide

some subset of the services listed in this document. The choice of a protocol depends on the desired set

of services. For example, an organization might be comfortable with the data being transferred in clear

text but extremely concerned about maintaining its integrity, while another organization might find

maintaining data confidentiality absolutely essential. Their choice of protocols might thus be different.

Site to Site or Lan to Lan VPN

Figure 6 Site to Site VPN


It provides secure IP communication over insecure network between two branches.

IPSec/VPN

1. IKE (Internet Key Exchange)

2. ESP (Encapsulating Security Pay Load)

3. AH (Authentication Header)

VPN Features

1. Confidentiality- Data will keep as a secret using encryption. DES, 3DES, AES.

2. Integrity- It means your data will not alter during transmission using Hash, Md-5, SHA.

3. Data Origin Authentication- It means both devices will authenticate to each other using pre-

shared key, Certificate.

4. Anti-Replay- It means if your data will arrive late, it will consider as alter, and it will drop. Time &

Volume.

IKE- IKE provides a frame work to exchange the security parameters and policies between two VPN

peers.

IKE Modes IKE Phase Main Mode Or Aggressive Phase 1

Quick Mode Phase 2 Phase 2

Main Mode- In main mode 6 attributes are divided in to three steps:

(Note: Proposal = security parameters and policies.)

1. They will exchange proposal

2. They will exchange key

3. They will authenticate to each other

Figure 7


Aggressive Mode

1. Initiator will send own proposal and secret to responder

2. Responder will authenticate it. And responder will send won proposal and secret to initiator.

3. Initiator will authenticate the session.

Quick Mode- In quick mode they will re check their security parameters and policies.

Phase 1

In IKE Phase 1 they create single IKE bi directional tunnel

Phase 2

In IKE phase II they create multiple IP sec unidirectional tunnel.

VPN Features ESP AH Confidentiality Yes No

Integrity Yes Yes

DOA Yes Yes

Anti-Replay In protocol No 50 In protocol No 50

IP sec modes (Protect L4 and Upper Layer)

1. Transport Mode

2. Tunnel Mode (Protect L3 and Upper Layer) S to S, GET VPN

ISAKMP– Internet Security Association Key Management Protocol.

IKE is a Management Protocol. It uses another Protocol for Key exchange. That is called ISAKMP. It use

UDP port no 500.

Figure 8


Example

PC1(config)#int fa0/0

PC1(config-if)#ip add 192.168.101.100 255.255.255.0

PC1(config-if)#no shut

PC1(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.101.1

PC2(config)#int fa0/0

PC2(config-if)#ip add 192.168.102.100 255.255.255.0

PC2(config-if)#no shut

PC2(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.102.1

R1(config)#int fa0/0

R1(config-if)#ip add 192.168.101.1 255.255.255.0

R1(config-if)#no shut

R1(config)#int s0/0

R1(config-if)#ip add 101.1.1.100 255.255.255.0


R1(config-if)#ip route 0.0.0.0 0.0.0.0 101.1.1.1

R1#sh ip route static

Figure 9 Site to Site VPN Topology


ISP(config)#int s0/0

ISP(config-if)#ip add 101.1.1.1 255.255.255.0

ISP(config-if)#no shut

ISP(config)#int s0/1

ISP(config)#ip add 102.1.1.1 255.255.255.0

ISP(config-if)#no shut

R2(config)#int fa0/0

R2(config-if)#ip add 192.168.102.1 255.255.255.0


R2(config)#int s0/0

R2(config-if)#ip add 102.1.1.100 255.255.255.0


R2(config-if)#ip route 0.0.0.0 0.0.0.0 102.1.1.1

R2#sh ip route static

R2#ping 101.1.1.100

Successful

R2#ping 192.168.102.100

Successful

R2#ping 102.1.1.100

Successful

R1#ping 192.168.101.100

Successful

PC1#ping 192.168.102.100

R1(config)#crypto isakmp policy 1

R1(config-isakmp)#authentication pre-share

R1(config-isakmp)#encryption ?

R1(config-isakmp)#encryption aes

R1(config-isakmp)#hash ?

R1(config-isakmp)#hash sha

R1(config-isakmp)#group ?

R1(config-isakmp)#group 5

R1(config-isakmp)#lifetime 1800

R1(config-isakmp)#exit

R1(config)#crypto isakmp key mani add 102.1.1.100

R1(config)# crypto ipsec transform-set t-set esp-aes esp-shahmac

R1(cfg-crypto-trans)#mode tunnel

R1(cfg-crypto-trans)#exit

R1(config)#crypto ipsec security-association lifetime seconds 1800


R1(config)#access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255

R1(config)#crypto map test 10 ipsec-isakmp

R1(config-crypto-map)#set peer 102.1.1.100

R1(config-crypto-map)#set transform-set t-set

R1(config-crypto-map)#match address 101

R1(config-crypto-map)#int s0/0

R1(config-if)#crypto map test

R1#sh his

R2(config)#crypto isakmp policy 1

R2(config-isakmp)#authentication pre-share

R2(config-isakmp)#encryption aes

R2(config-isakmp)#hash sha

R2(config-isakmp)#group 5

R2(config-isakmp)#Lifetime 1800

R2(config-isakmp)#exit

R2(config)#crypto isakmp key mani add 101.1.1.100

R2(config)#crypto ipsec transform-set ttt esp-aes esp-sha-hmac

R2(config-crypto-trans)#mode tunnel 1

R2(config-crypto-trans)#exit

R2(config)#crypto ipsec security-association lifetime seconds 1800

R2(config)#access-list 102 permit ip 192.168.102.0 0.0.0.255 192.168.101.0 0.0.0.255

R2(config)#crypto map test 10 ipsec-isakmp

R2(config-crypto-map)#set peer 101.1.1.100

R2(config-crypto-map)#set transform-set ttt

R2(config-crypto-map)#match address 102

R2(config-crypto-map)#int s0/0

R2(config-if)#crypto map test

R2#sh his

PC1#ping 192.168.102.100 repeat 300

Successful

VPN (virtual private network)

Technology

Transcript of VPN (virtual private network)