The computer network is an important media for our communication. Companies have their own internal networks, exchanging information within and outside their networks. As companies grow and the number of branches increase, they need to find ways to exchange information in a secure manner. Virtual Private Networks (VPN) is a solution for this with a reasonable cost. I will introduce the basic concept of VPN networks.
A virtual private network is a way to simulate a private network over a public network, such as the Internet. It is called “virtual” because it depends on the use of virtual connections – that is, temporary connections that have no real physical presence, but consist of packets routed over various machines on the Internet on an ad hoc basis. Using the Internet for remote access saves a lot of money. You’ll be able to dial in wherever your Internet service provider (ISP) has a point-of-presence (POP). If you choose an ISP with nationwide POPs, your private network (LAN) is a local phone call away. You will be able to connect from any location as long as you have access to the Internet; this is especially useful for sales people on the road or home.
In many cases, long-distance connections of private networks are done with a leased line, a connection to a frame relay network, or ISDN. Although leased line such as T1 line assures that the fast connection is always available and private, the cost can be expensive because they are typically billed based upon a flat monthly fee plus mileage expenses. If a company has offices across the country, this cost can be prohibitive. Frame relay lines can also give you high speeds without the mileage charges. You purchase a connection to a frame cloud, which connects you through switches to your destination. Unlike a leased line, the amount you pay is based more on the bandwidth that’s committed to your circuit than distance. Frame connections are still somewhat expensive, however. ISDN, like the conventional telephone system, incurs long-distance charges. In many locations, the local telephone company charges per minute even for local calls, which again runs expenses up. For situations where corporate office networks are in separate cities, having each office get a T1, frame relay, or ISDN line to an ISP’s local POP would be much cheaper than connecting the two offices using there technologies. A VPN could then be instituted between the routers at the two offices, over the Internet. In addition, a VPN will allow you to consolidate your Internet and WAN connections into a single router and single line, saving you money on equipment and telecommunication infrastructure.
Secure virtual connections are created between two machines, a machine and a network, or two networks over public networks such as the Internet. A VPN usually achieves this by employing some combination of firewalls, encryption, authentication, and tunneling. Tunneling, sometimes called encapsulation, refers to the process of encapsulating or embedding one network protocol to be carried within the packets of a second network.
It is not practical to physically isolate your network and stay competitive in the business today. Setting up a firewall between the two restricts access to the internal network from outside. Firewall technology consists of chokes and gates. Chokes are computers or communication devices that restrict data flows, and gates are packet filter routers and proxy servers. It includes a set of programs that are located at a network gateway routers or servers and protects the resources of a private network from other networks. There are three types of firewall architectures: packet filter, screened-host, and screened-subnet architectures.
This is the most common and the simplest firewall architecture. A router, which has both a firewall component and external network interface, examines which packet to allow access to internal network. It is the most cost-effective and requires low maintenance, however, it has no auditing features and is vulnerable to IP address spoofing, tiny fragment attacks by sending illegal packet sizes, and so on.
This topology uses a gateway host (computer) behind the packet-filtering interface. The packet filter sends incoming traffic and outgoing traffic only to/from the gateway host. The multihomed host (more than one Network Interface Card installed) supports both circuit-level (addressing) and application-level (SMTP, HTTP and FTP) gateway services, which creates a second line of defense. However, it is more expensive than the packet filter architecture, and internal users may experience degraded performance than simple packet filtering architecture, because the packets must go through two firewall layers.
This architecture is often called demilitarized zone. The name derives from the geographic buffer zone that was created between North Korea and South Korea after the war in the early 1950s. A neutral zone is created between internal and external networks. A gateway host is placed within the zone and packet filters are placed on both sides. Now the packets are required to go through three filtering which makes this topology the most secure of the three architectures.
The importance of firewalling to a virtual private network is straight forward and to the point. Since a VPN is an interconnection of two or more disconnected networks utilizing public networks, it follows that there networks individually must be protected in and of themselves. Each connection needs a protective wall around it to make it safe from invasion. The concept behind using firewalls with a VPN is to secure the networks as if they were isolated; then the system administrator opens specific ports in the packet filtering router to allow the encrypted data to stream from one connection to the next. Thus, a private and secure communication is set up in a channel between two sites, based on the type and implementation of the cryptographic routines used. The VPN software provides the security and the application layer routing, so that the networks in question will appear to be as one when presented to users at either end. Firewall techniques are the first line of protection in the fabric of a VPN, and they must be developed and tested before the benefits of the VPN can be fully utilized.
Tunneling, also known as encapsulation, is a method of using an internetwork infrastructure to transfer frames or packets. The frames or packets can be another protocol. Instead of sending the frame as produced by the sending computer, the frame is encapsulated with an additional header. The additional header provides routing information so that the encapsulated frames or packets can cross the intermediate network. The encapsulated packets are then routed between tunnel endpoints over the transit internetwork. Once the encapsulated frames reach their destination on the transit internetwork, the frame is de-encapsulated and forwarded to its final destination. Tunneling can be achieved in one of the followings: Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP), IP Security (IPSec) tunnel mode, and IP-in-IP tunneling.
PPTP was created by the PPTP forum consisting of Microsoft Corporation, Ascend Communications, 3COM, ECI Telematics, and US Robotics. It is one of the more widely implemented VPN protocols if for no other reason than it was one of the earliest. PPTP operates at the data link layer (layer 2) of the OSI model and can be used to create a VPN between computers running the Windows operating system. PPTP is basically an extension of the Point-to-Point Protocol (PPP), the Internet standard for transmitting network layer datagrams such as IP packets over serial point-to-point links and is used by TCP/IP routers and PCs to send packets over dial-up and leased-line connections.
PPTP does not provide the actual encryption. Instead the encryption for the PPTP tunnel is provided through Microsoft’s Point-to-Point encryption. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is the preferred setting for clients supporting Microsoft encryption. It uses RSA’s MD4 algorithm to ensure integrity and the RC4 algorithm for confidentiality of the data. To establish a connection, the MS-CHAP server sends a unique random challenge to the client. The challenge is used the by client to encrypt the client’s password. The password is then returned to the server to login the client.
L2TP is an Internet Engineering Task Force (IETF) standard that combines features from Cisco’s Layer-Two Forwarding (L2F) protocol and Microsoft’s PPTP. Since L2TP’s basis is PPTP, it is also an extension to the PPP and operates at the data link layer (L2TP). L2TP inherits PPP compression but not encryption. PPP encryption is not used because it does not meet the security requirements of L2TP. PPP encryption could provide confidentiality but would not provide per packet authentication, integrity, or replay protection. Data encryption is provided by IPSec. Using PPP connection encryption with an IPSec encrypted packets, increases processing overhead with little to no added benefit.
Both PPTP and L2TP use PPP for point-to-point WAN connections, but there are differences in some features:
- PPTP requires that the transit internetwork be an IP internetwork. L2TP requires only that the tunnel media provide packet oriented point-to-point connectivity. L2TP can be run over IP, Frame Relay, X.25 or ATM.
- L2TP provides header compression capability. When header compression is enabled, L2TP operates with 2 bytes of overhead, compared to 6 bytes for PPTP.
- L2TP provides tunnel authentication, while PPTP does not. However, when either PPTP or L2TP is run over IPSec, it provides tunnel authentication, making Layer 2 tunnel authentication unnecessary.
- PPTP uses PPP encryption and L2TP does not. Microsoft’s L2TP requires IPSec for encryption.
IPSec, a set of protocols under development by the IETF to support secure exchange of packets at the IP layer, is utilized to implement VPNs on the Internet and intranets. IPSec operates at the network layer (layer 3) and supports two modes, transport mode and tunnel mode.
IPSec
Transport Mode
Transport encrypts only the payload of each IP packet; it leaves the header untouched. Transport mode provides end-to-end encryption since the header information is untouched. As a result, no special setup is required for the network devices. Transport mode is usually used for secure communications between hosts. With transport mode, someone sniffing the network will not be able to decipher the encrypted payload. However, since the header information is not encrypted, sniffers will be able to analyze traffic patterns.
IPSec
Tunnel Mode
Tunnel mode encrypts the entire packet, both the header and the payload. The receiving device must be IPSec-compliant to be able to decrypt each packet, interpret it, and then re-encrypt it before forwarding it onto the appropriate destination. Tunnel mode safeguards against traffic analysis, since someone sniffing the network can only determine the tunnel endpoints and not the true source and destination the tunneled packets. The sending and receiving devices exchange a public key information using a protocol known as Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley). This protocol enables the receiver to obtain a public key and authenticated the sender using the sender’s digital certificates. Tunnel mode is considered more secure than transport mode, since it conceals or encapsulate the IP control information.
IP-IP, or IP in IP, is a simple OSI layer 3 (network layer) tunneling technique. A virtual network is created by encapsulating an IP packet with an additional IP header. The primary use of IP-IP is for tunneling multicast traffic over sections of a network that does not support multicast routing. The IP-IP packet structure consists of the outer IP header, the tunnel header, the inner IP header, and the IP payload.
The following cases explain what was needed in connections to the Internet, equipment, software, and VPN solutions.
Microfast, Inc. is a nationwide computer parts supply company. Their headquarter is in Cleveland, Ohio. There are three main branch offices: Sacramento, Houston and Charleston. 20 – 50 small branch offices in each region is connected to the main branch office and the headquarter.
The headquarter office is the main source of information about products and operations; therefore, security is critical. Besides the VPN, several other Internet services are centralized here, including the corporate web, email, and FTP servers. The company web-based Intranet is also centralized at the main office.
The central office maintains two T1 connections through two separate ISPs with nationwide POPs. This provides redundancy and gives other connecting sites a variety of network paths over which they can reach the central office. The T1 connections allow enough bandwidth or all sites to connect to the central network with adequate response time over the VPN, in addition to supporting these other services.
Routing traffic from the T1, the company has a Cisco 4500 Internet router. This is a robust and expandable router that can handle up to four T1s for a large network. Likewise, it can encapsulate and route a variety of protocols, from IP to AppleTalk. For broad coverage of VPN solutions, the main office is running PPTP on Windows NT servers. Secondarily, there is a Unix server and an Ascend MAX remote access hub, both running PPTP.
The central office must run three VPN servers to give their connecting networks a variety of solutions. The large branch offices require a stable and fast network-to-network VPN. For this high-bandwidth task, the Cisco PIX firewall was chosen. In addition to being a robust firewall solution, the PIX enables the various large networks to encrypt data traffic from one network to the other. This, combined with the routing power of the Cisco routers, allows each network a variety of protocols, while maintaining a secure connection. Other remote users dialing in either to the Internet or one of the branch offices are using PPTP.
Other Internet services are maintained at some of the large branch offices, such as web and FTP servers.
Main branch offices around the country are connected to the Internet via fractional T1 or full T1, depending on the size of their networks and the level of network activity. Their network connections are through one of the two national providers that connect the central office to the Internet. This allows for a fester connection to the central office. This strategy lessens the amount of “hops” necessary to reach corporate office Internet connections.
A Cisco 2500 router is needed to support fractional to full T1 connections for these networks. Sites use PPTP and Windows NT or Unix servers for dial-up users and smaller connecting networks.
The Cisco PIX Firewall is implemented at these locations for connections to the central office and to provide network security against Internet-based attacks. These branch offices also user PPTP for their remote access users, and for incoming connections from the small branch offices. Users run PPTP client on their Windows NT, Window 95/98, or Macintosh workstations.
Small branch office sites host very few resources to share – certainly not major web pages that are expected to get lots of hits – but they need continuous and reliable access to the larger offices.
The smaller branch offices maintain either dedicated or dynamic ISDN connections to their Internet service providers. Some offices use the same national service provider as the corporate office, while others use providers who maintain upstream connections through the same networks as the corporate office. Though this does not affect the basic functionality of the VPN, it does increase the speed and reliability of the connection between sites.
Small branch offices use the Ascend Pipeline 50 ISDN router for their Internet connection. The Ascend supports PPTP, and routes Internet traffic for up to 255 IP addresses. A Windows NT or Unix server is utilized at each site to validate incoming PPTP users and to connect to the VPN.
A PPTP server and client are used at each site for accessing the VPN.
Remote access users include those on the road and those working off-site.
A variety of connection methods are used, from ISDN to analog phone lines and modems. The best scenario is to have all mote access users connect through the same national provider as the rest of the corporate network or through ha provider who is on the same network..
Individual users can have a variety of platforms, from Windows NT or Windows 95/98 workstations to Unix to MacOS. ISDN routers, terminal adapters, or analog modems could all be in use.
The PPTP client is used by end users to access the VPN.
Microfast, Inc. headquarter in Cleveland has 4 departments: Sales/Marketing, Information System, Product development and Human Resources. HR department holds sensitive personal/financial information for employees.
HR department LAN is physically separated from the rest of the department LANs. A VPN connection allows the department’s LAN to be physically connected to the corporate internetwork but separated by a VPN server. Users on the corporate internetwork having the appropriate credentials (based on a need-to-know policy within the company) can establish a connection.
Windows NT servers (VPN servers) to accept incoming connection at HR department.
A PPTP server and client are used at each site for accessing the VPN. If both the server and the client are Windows 2000, IPSec over L2TP is the most secure way to establish a connection.
Only large companies could afford to establish secure private networks in the past, which they created from expensive leased lines. Smaller companies had to make do with the relatively untrusted Internet. The solution is a virtual private network, which can be easily used by anyone logging from anywhere. A number of products now exist to support this solution. No matter how much the new technology arises, it is never perfect unless the network is disconnected. Therefore, it is important to keep your VPN up-to-date by applying security patches and bug fixes. Sometimes it may be necessary to upgrade your VPN products in order to be compatible with newer system. That is the only way to keep your network secure while maintain connectivity with the rest of the world.
“DMZ – a whatis definition.” Tech Target, 29 May, 2001, Online. http://whatis.techtarget.com/definition/0,,sid9_gci213891,00.html (19 April, 2002).
“Firewall – a searchSecurity definition.” Tech Target, 29 July, 2001, Online. http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci212125,00.html (25 April, 2002).
Perkins, Charles, Matthew Strebe, and James Chellis, “MCSE: NTÒ Workstation 4 Study Guide,” Second edition. San Francisco, California, SYBEX Inc., 1998.
Samsom, Tony, “What is a Virtual Private Network(VPN)? Security Implications of Virtual Private Networks.” Sans Institute, 23 June, 2000, Online. http://www.sans.org/infosecFAQ/firewall/VPN.htm (23 April, 2002).
Schein, Phillip G., MCSEÔ WindowsÒ 2000 Security Design Exam Cram. Scottsdale, Arizona, The Coriolis Group, LLC, 2000.
Shinder, Thomas, W., Shinder, Debra Littlejohn, MCSE Windows 2000 Server Study Guide (Exam 70-216). Berkeley, California, Osborne McGraw-Hill, 2000.
“VPN – a searchNetworking definition.” Tech Target, 16 April 2001, Online. http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci213324,00.html (25 April, 2002).
“White Paper – IP Sec.” Cisco Systems, Inc., 1 July, 2000, Online. http://www.cisco.com/warp/public/cc/techno/protocol/ipsecur/ipsec/tech/ipsec_wp.htm (23 April, 2002).