1 / 62

Learning to Live and Work with Virtual Private Networks

Richard Perlman perl@lucent.com. Learning to Live and Work with Virtual Private Networks. CEENET #6 Budapest Hungary. Tunneling Defined. Creating a transparent virtual network link between two network nodes that is unaffected by physical network links and devices.

avent
Download Presentation

Learning to Live and Work with Virtual Private Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Richard Perlman perl@lucent.com Learning to Live and Work with Virtual Private Networks CEENET #6 Budapest Hungary

  2. Tunneling Defined Creating a transparent virtual network link between two network nodes that is unaffected by physical network links and devices.

  3. Tunneling Explained • Tunneling is encapsulating one protocol in another • Tunnels provide routable transport for unroutable packets • encrypted, illegal addressing, non-supported • Tunneling itself provides no security

  4. Tunneling Illustrated

  5. Tunneling Illustrated

  6. Tunneling Illustrated LAN B LAN A

  7. Tunneling Illustrated Step 2 Original IP packet encapsulated in another IP packet Original IP New IP packet Packet Workstation Router A Router B Y Original IP packet dest Y Tunnel Tunnel Workstation Step 3 Step 1. X Original packet extracted, sent to destination Original, unroutable Original IP packet dest Y IP Packet sent to router

  8. Virtual Private Networks (VPN) • What is a VPN? • A means of augmenting a shared network on a secure basis through encryption and/or tunneling • Tunnels created between endpoints for transporting data securely across public networks • Benefits • Leverages existing Service Provider infrastructure for private data communications • Cost savings

  9. What Is an IP VPN ? • Emulate a private network over a shared IP network ….. Branch Offices Remote Workers Shared IP Network Internet Corporate Headquarters Customers, Suppliers • Why IP ? • Service Differentiation, Global Connectivity, Flexibility, Platform for fast growing new services (e.g E Commerce)

  10. Types of IP VPN Services Service options • Applications : Dial, Intranet, Extranet • QoS : End to end guarantees, service differentiation, best effort • Security : Network based, user based • Infrastructure : Internet, IP, ATM, MPLS

  11. One way to communicate… Tokyo Remote Access Server Internet LAN New York HQ Web Sites Firewall Router CSU/DSU CSU/DSU PSTN (Dial) or Dedicated Line LAN London Router CSU/DSU Firewall CSU/DSU Router LAN Firewall Remote Access Server

  12. Another view of network possibilities... A Virtual Private Network Tokyo Firewall LAN Web Sites New York Router w/L2TP CSU/DSU Firewall Internet LAN London Router w/L2TP CSU/DSU CSU/DSU LAN Router w/L2TP Remote Clients

  13. Internet as Backbone: Dial-Up Internet/ISP Network Secure Tunnel VPN Gateway Remote User with VPN Software Private Network Hacker

  14. Internet as Backbone: Branch Offices Internet/ISP Network Branch Office VPN Gateway Secure Tunnel VPN Router Private Network

  15. Shared Dial Networking Shared Service Provider Network Mobile Employee IAG VPN Gateway Telecommuter IAG Contractor Tunneled Traffic IAG Private Network

  16. Virtual Private Networks Extends private network boundary across a shared network using tunneling technology Virtual Private Dial-Up IAG Private Servers Tunnels VPN Gateway VPN Gateway Virtual Private Dial-Up Shared Network Internal Users

  17. Types of Tunnels • Two basic types of tunnels • Voluntary tunnels • Tunneling initiated by the end-user(Requires client software on remote computer) • Compulsory tunnels • Tunnel is created by NAS or router(Tunneling support required on NAS or Router)

  18. Voluntary Tunnels • Will work with any network device • Tunneling transparent to leaf and intermediate devices • But user must have a tunneling client compatible with tunnel server • PPTP, L2TP, L2F, IPSEC, IP-IP, etc. • Simultaneous access to Intranet (via tunnel) and Internet possible • Employees can use personal accounts for corporate access • Remote office applications • Dial-up VPN’s for low traffic volumes

  19. A Voluntary PPTP Tunnel

  20. Compulsory Tunnels • Will work with any client • But NAS must support same tunnel method But… Tunneling transparent to intermediate routers • Network access controlled by tunnel server • User traffic can only travel through tunnel • Internet access possible • Must be by pre-defined facilities • Greater control • Can be monitored

  21. Compulsory Tunnels • Static Tunnels • All calls from a given NAS/Router tunneled to a given server • Realm-based tunnels • Each tunnel based on information in NAI(I.e. user@realm) • User-based tunnels • Calls tunneled based on userID data stored in authentication system

  22. A Compulsory L2TP Tunnel

  23. RADIUS Support for Tunnels • Can define tunnel type • Can define/limit tunnel end points • Allows tunnel configuration to be based on Calling-Station-ID or Called-Station-ID • Additional accounting information • Tunnel end points • Tunnel ID, etc.

  24. RADIUS Dial Up Security Authenticates dial in users at boundary of private network Private Network RADIUS Server RADIUS Protocol Boundary RAS User Login • Remote User • Hacker

  25. Protocol Comparison PPTP L2TP IPSEC Authenticated Tunnels X X Compression X X X Smart Cards X X Address Allocation X X Multiprotocol X X Strong Encryption X Flow Control X Requires Server X X

  26. Virtual Private Networks via the Layer Two Tunneling Protocol (L2TP)

  27. L2TP Building Blocks • L2TP Access Concentrator (LAC) • Typically attached to the switched network fabric, such as public switched telephone network (PSTN) • Only needs to implement the media, over which L2TP operates in order to pass traffic to one or more LNS's • Typically the initiator of incoming calls and the receiver of outgoing calls

  28. L2TP Building Blocks (Con’t-) • L2TP Network Server (LNS) • Operates on any platform capable of PPP termination • Handles the server side of the L2TP protocol • scalability is critical • Able to terminate calls arriving at any LAC's full range of PPP interfaces (async, ISDN, PPP over ATM, PPP over Frame Relay) • The initiator of outgoing calls • The receiver of incoming calls

  29. Internet, Frame Relay, ATM Network PSTN L2TP VPN in the Network Customer Premise Equipment Service Provider Remote, Telecommuter Employees LNS LAC Corporate Network/ Servers ISDN Analog RADIUS RADIUS = L2TP Encapsulated Tunnel

  30. How Does a L2TP VPN Device Work? • Service provider provides remote access outsourcing services to utilize idle network infrastructure and provide their customers with the cost savings of using a public network like the Internet • The customer wants to connect their remote branch offices and telecommuters to Corporate HQ servers

  31. Internet, Frame Relay, ATM Network PSTN How Does a L2TP VPN Device Work? • STEP 1 • Remote users/telecommuters/branch offices initiate a session or call into a L2TP Access Concentrator (LAC) device STEP 1 Service Provider CPE LAC Remote, Telecommuter Employees LNS Corporate Network/ Servers ISDN Analog RADIUS RADIUS

  32. Internet, Frame Relay, ATM Network PSTN How Does a L2TP VPN Device Work? • STEP 2 • The LAC sends an authentication request to a RADIUS Server, which will authenticate the call and generate configuration information about the creation, type of L2TP tunnel and end point of the tunnel Service Provider CPE Remote, Telecommuter Employees LAC LNS Corporate Network/ Servers ISDN Analog STEP 2 RADIUS RADIUS

  33. Internet, Frame Relay, ATM Network PSTN How Does a L2TP VPN Device Work? • STEP 3 • Tunnel creation information is sent to the LAC which encapsulates the users PPP Frames and tunnels them over the network to the LNS device. Service Provider STEP 3 CPE Remote, Telecommuter Employees LAC LNS Corporate Network/ Servers ISDN Analog RADIUS RADIUS

  34. Internet, Frame Relay, ATM Network PSTN How Does a L2TP VPN Device Work? • STEP 4 • LNS serves as termination point where the encapsulated L2TP frame is stripped and processed. The PPP Frame is then passed on to higher layer protocols and users on the local area network. Service Provider STEP 4 CPE LAC Remote, Telecommuter Employees LNS Corporate Network/ Servers ISDN Analog RADIUS RADIUS

  35. VPN Questions and Answers (FAQs)

  36. Q: What is a virtual private network? • A VPN gives users a secure way to access or link corporate network resources over the Internet or other public or private networks.

  37. Q: What are the elements to a VPN? • VPNs typically include a number of security features including encryption, authentication, and tunneling. • VPN software may be included on laptops and network workstations and servers or may be included with routers and remote access servers

  38. Q: How do companies use VPNs? • I place of traditional dial-up connections to provide access to remote users and telecommuters • To connect LANs in different sites instead of using the public switched telephone network or dedicated leased lines • To give customers, clients and consultants access to corporate resources.

  39. Q: Is a VPN the same thing as an extranet? • No. Most VPNs can be designed to work as an extranet. But not all extranets are VPNs.

  40. Q: Then what is an extranet? • Extranet is a general term than can mean many different things. The common definition of an extranet is a type of network that gives outside users, such as customers, clients and consultants, access to data residing on a corporation's network. Users access the data through a Web brows er over the Internet and typically need to enter a user name and password before access to the data is granted.

  41. Q: How is this different from a VPN? • A VPN can be used in a similar manner, but typically a VPN has much higher security associated with it. Specifically, a VPN typically requires the establishment of a tunnel into the corporate network and the encryption of data passed between the user's PC and corporate servers.

  42. Q: Why bother with a VPN, aren't there other ways to give users secure access to network resources? • There are different ways to control access and provide secure access to network resources. A VPN is just one of those ways. • However, a well implemented VPN is transparent to the user and should require no special skills or knowledge to use

  43. Q: What are other methods for accessing network resources over the Internet? • Depending on the level of security needed, a company could choose to use an extranet approach or a customized approach that combines password protection of network servers with third-party auth entication systems.

  44. Q: Why do companies use VPNs? • There are many reasons to use a VPN. The most common reasons are (1) to save telecommunications costs by using the Internet to carry traffic (rather than paying long distance phone charges)(2) to save telecommunications costs by reducing the number of access lines into a corporate site, and (3) to save operational costs by outsourcing the management of remote access equipment to a service provider.

  45. Q: How does a VPN cut long distance phone charges? • Long distance phone charges are reduced with a VPN because a user typically dials a local call to an ISP rather than placing a long distance or international call directly to his or her company.

  46. Q: How do VPNs help reduce the number of access lines. • Many companies pay monthly charges for two types access lines: (1) high-speed links for their Internet access(2) frame relay, ISDN Primary Rate Interface or T1 lines to carry data . A VPN may allow a company to carry the data traffic over its Internet access lines, thus reducing the need for some installed lines.

  47. Q: How can a VPN save operational costs? • Some companies hope to save operational costs by outsourcing their remote access to an ISP or other type of service provider. The idea is that by giving users access to the network via a VPN, a company can get rid of its modem pools and remote access servers. The operational cost savings come from not having to manage those devices.

  48. Performance Issues

  49. Q: What about VPN performance? • There are several issues to consider when exploring VPN performance. Some are related to the Internet itself. Is it available? What is the latency for packets traveling across the network? Other performance issues are related to the specific VPN applications. • In general, VPNs implemented over the public Internet will have poorer performance than VPNs implemented over private IP networks.

  50. Q: What are the concerns about network availability? • The Internet occasionally experiences outages. For example, in 1997 there was a system-wide availability problem when a corrupted master list of Domain Names was distributed to the handful of root servers that are the heart of the Internet. More frequently, a particular Internet service provider may experience equipment problems leading to a service outage that can last from hours to days.

More Related