Download Virtual Private Networks - University of Wisconsin

Virtual Private Networks
Ryan Joyce
Computer Science / Software Engineering
University Wisconsin – Platteville
[email protected]
Abstract
The rapid advances in communication technology have allowed companies to conduct
business on a global scale. Virtual private networks (VPNs) allow companies a means to
extend their secure networks using regular Internet. Companies can now directly link
their employees, strategic business partners, and customers to one integrated system.
VPNs are far more inexpensive than traditional wide area networks and provide increased
accessibility. Such accessibility allows remote access to many users in multiple locations.
VPNs are an evolving concept, optimization, securities, scalability and tunneling
practices are constantly being upgraded and changed for maximum efficiency.
Investigated here is the development of VPNs, the rationale for VPNs, common issues
associated with VPNs, and overall benefits VPNs can provide. The world is becoming a
more connected place every day, VPNs are just another step forward for fast effective
business solutions.
Joyce
1
CS 4110
Introduction
What is a Virtual Private Network?
A Virtual Private Network is an interconnected group of networks. These networks can
be both private and public networks, but behave like a single secure private network. For
example, by using a Virtual Private Network a company can extend its secure private
LAN across the public internet.
History of VPNs
Before the use of Virtual Private Networks there were just traditional local area networks
(LANs) and wide area networks (WANs). In these cases a company or institution had two
choices. A company could implement single private LANs for each of company’s
facilities. This would provide a secure reliable network but only viable over short
distances. With a WAN a company would rent or lease out private lines from and
external source for a monthly fee. With this choice a company had a secure private
network that ranged over great distance. The disadvantage however with a WAN is that it
became too costly for most companies.
With the popularity of the internet growing in the late 90s gave rise to a new idea. This
was the Virtual Private Network. The first instance of VPN was indirectly shown by
academic institutions linking remote buildings or sites through public internet. These
early VPNs had limited security and reliability but were a suitable alternative to WANs.
Eventually the corporate world decided to investigate the idea as well. In the early 2000s
VPN software and hardware started to develop. In addition to hardware and software
several protocols were developed and the early process of standardization began. Virtual
Private Networks still remains a relatively new concept it was not mainstream until 2004
– 2005.
Advantages of VPNs
Virtual Private Networks have many advantages. As the world grows into a more
interconnected society use of VPNs is a necessary step. VPN can extend communications
on a global scale allowing overseas business. These new foreign markets can help a
company grow and expand and increase overall profit. Another advantage of VPNs is
increase communication with business partners. This translates to connecting your
network with a supplier’s network or a retailer’s network. This advantage enables
increase efficiency on multiple levels. Inventories can be updated and replenished by use
of or real-time information. Sales data can be collected and analyzed for future market
projections. Lastly, VPNs are huge cost savers. Instead of using the highly expensive
WANs, Internet connections services are far cheaper and affordable.
Joyce
2
CS 4110
Types of VPNs
VPNs are currently divided into three types: hardware, software, and hardware/software
mix. Each of theses types include advantages and disadvantages over each other and
depend entirely on an institutions needs and requirements.
Hardware based
Hardware based VPN consists of VPN firewalls, edge routers, and VPN adapters. These
hardware devices are capable of sending a tunneling protocol and translating them. The
hardware solutions are generally more reliable but take longer to implement. With the
hardware solution a company may be forced to replace all not compatible VPN
equipment and add additional routers or firewalls. Overall the hardware solution often
becomes significantly more expensive. Hardware VPNs work best for areas of business
that have heavy communications and constant data transmissions.
Software based
Some VPNs do not require new equipment to be installed. VPN clients such as
OpenSWAN, Log Me In Hamachi, and OpenVPN reconfigure existing hardware to send
and translate a tunneling protocol. Software based VPNs are far more inexpensive than
their hardware counter part, but since the converting and translating of the tunneling
protocol is done on software level they become slower and less reliable. Another
advantage of software based VPNs is that like most software installations it is relatively
quick and simple, therefore decreasing setup times. Software VPNs work best in areas of
business that have small to moderate data transmissions and systems the require mobility.
Hardware/Software Mix
Since there are both advantages and disadvantages of hardware based and software based
VPNs, some users implement a combination of the two. When a company is
communicating from its corporate headquarters to its branch facilities it may tend to use
the VPN hardware approach for the most reliable communication. In addition if that same
company had mobile users it would most likely use some form of VPN software to
supplement their needs as well. When both software and hardware are used in
combination a company can prioritize their information transfer and select the most
appropriate choice.
VPN Setups
Remote Users
This type of VPN setup refers to communication access of a company’s network to
remote or mobile employees (home users). Some examples of remote users would be
sales representatives who move from place to place. These representatives may have a
Joyce
3
CS 4110
laptop or other device. These employees need access to a company’s intranet via a
standard internet connection. With this type of setup company must require monitoring
and strong authentication practices. In addition remote user setups must be scalable.
With this issue a company must be able to handle larger number of users simultaneously.
An example of the remote user setup can be shown below in figure 1.
Home user
LAN A
Figure 1 VPN setup remote users only
Intranet Setup
In this case a company may not have remote users to worry about but constant branch
facilities that need to be linked. Linking internal branches or subsidiaries together in
company can help the company effiecny as whole. These VPN setups require high
security. Since this type of VPN transmits and receives a significant amount of sensitive
information strong authentication practices must be used. Also this VPN setup needs a
high degree of reliability so that applications that effect day to day operations run
smoothly. Figure 2 shows the connections made in an intranet setup.
LANB
LAN A
Figure 2 VPN setup intranet only
Extranet Setup
Extranet Setups incorporate remote setups, intranet setups and network connections to
suppliers. Strong authentication practices and security measures are needed for this setup
as well. In addition this type of setup requires some form of protocol standardization. One
of the more common protocols use in extranet configurations is the IPsec protocol.
Extranet setups are often very large and expansive. Traffic control as well as congestion
control need to be implemented to insure proper network function. Information may also
Joyce
4
CS 4110
have to be prioritized in these types of setups. This network setup can be seen in larger
companies that rely on various suppliers and other horizontal business partners. Figure 3
is and example of and extranet configuration.
Suppliers
Lan
LAN A
Figure 3 VPN setup extranet configuration
How VPNS work?
Tunneling
Tunneling is the process of creating a secure point to point connection over a public
network. Tunneling works on the concept of data encapsulation. Tunneling starts out by
taking a regular data packet and placing it inside another. Once this is achieved the
container packet is encrypted and sent over the network. This adds an additional protocol
To the data beings sent leaving if with three defining protocols for transport. The first is
the carrier protocol which would be one of the standard internet protocols. The next
would be the VPN protocol and lastly it would have the passenger protocol for which its
begin carried .
Tunneling has many powerful applications not only does it add security but it can also be
used to format packets that can not normally be sent over the internet. NetBeui is a
protocol not supported on the internet however if you encapsulate into and ip packet it
can be transported. Overall tunneling is the foundation for VPN communications.
Security Requirements and Approaches
Confidentiality
Confidentiality refers to the privacy of information being exchanged between
communicating parties. If data packets are read or exchanged to unauthorized parties a
companies secrets and method of business is at risk. This requirement is usually
approached by some form of encryption.
Encryption
Joyce
5
CS 4110
Encryption is the process of coding data. Encryption consists of two types. This is public
key encryption and private key encryption. Private key encryption consists of one secret
decryption key that is shared between various computers. Public key encryption consists
of both private key and a public key. The private key is known only to your computer,
while the public key is given by your computer to any computer that wants to
communicate securely with it. In order to communicate successfully the computer that
you are sending information too must use the public key to decrypt the information. One
popular form of public key encryption is SSL encryption. SSL or secure sockets layer
encryptions used in web browsers for access to secure websites [2].
In addition to standard encryption VPNs use hashing algorithms as another form of
encryption. Hashing works on the concept of a mathematical formula that used to encrypt
data.
Data Integrity
Data Integrity ensures that information being transmitted over the public Internet is not
altered in any way during transit. If data is altered from unknown parties it can cause
failure in company operations. Some ways to ensure data integrity is by using message
authentication codes and digital signatures. These are added element of data that are
added to the original message and act as proof of authenticity. If they are missing from
the message one can assume that message was a fake [2].
Authentication
Authentication is the process of ensuring that all the identities of all communicating
parties are legitimate. In this security requirement parties must be identified before
information can be transmitted. Standard authentication practices include password
authentication and digital certificates. Another method of authentications is use of token
cards which are created from a time stamp; a user must input a one time code to create a
valid connection [2].
VPN Protocols
IPSec (Internet Protocol Security)
One of the first VPN protocol to be created was the IPSec protocol. It was one developed
by Internet Engineering task force and was originally designed to address IP based
networks. This protocol was one of the first protocols to use the tunneling concept.
PPTP (Point to Point Tunneling Protocol)
Another VPN protocol is the PPTP protocol, like IPSec it was one of the first protocols to
be used. The original implementation was designed for remote users that needed to access
Joyce
6
CS 4110
company networks from home. The PPTP protocol beginning to phase out in today’s
VPNs but created a blueprint for more effective protocols.
L2TP (Layer 2 tunneling protocol)
L2TP protocol is one of the descendant protocols from PPTP. With L2TP protocol has
two tunneling options client aware tunneling and client transparent tunneling. In client
aware tunneling the other communicating party is conscious of the VPN encryption. In
transparent tunneling the other party is unaware of the encryption taking place and would
act like normal network communication.
Socks5
Socks 5 differ from most VPN protocols, unlike other protocols Socks 5 is a circuit level
protocol. This protocol was originally designed to authenticate web protocols. The socks
5 protocol occurs most frequently in extranet configurations. Its greatest strong point is in
user level application control.
Conclusion
Selecting A VPN
When selecting a VPN there are variety aspects to consider. The first aspect in selecting
is VPN is integration. This refers to the compatibility issues when bringing in the new
network. A VPN must work with existing intranets in order to function properly. There
is also the choice of using software versus hardware. Another aspect that is needed to be
considered is scalability. VPNs can be expansive or limited as user wants them to be.
Real World applications of VPNs
VPNs are spreading to all different types of industries and users. Some of the industries
to take on VPNs are: manufacturing, medical, retail, and finance. Manufacturing has used
VPNs by linking factory operations to corporate headquarters to all of its facilities. In the
retailing local stores are connected directly to regional offices delivering relevant sales
data. On medical front transferring patient data across hospital networks is another
example of VPN usage. Online transactions and remote user access to banks has
revolutionize how people accessed money. Lastly more people can work at home via
VPNs.
Problems with VPNs
Like all new technologies VPNs have certain setbacks. Currently VPN setup times can be
extensive depending on the size of an institution’s network. In addition users have some
Joyce
7
CS 4110
difficulty integrating VPNs into very old networks. This can lead to complex trouble
shooting issues. Another concern companies have with VPNs is interoperability with
other networks. Since there is no VPN standardization at this point companies have to
agree and comprise when connecting to external networks. The last concern companies
have with VPNs is reliability with their internet service providers. Poor internet
connections and constant outage can lead to bandwidth constraints on a company.
Optimizing VPNs
Though there are many concerns with implementing a VPN there are variety of ways to
optimize a VPN to eliminate some of the common problems. One of the first ways to
optimize a VPN is to have multiple ISPs. By having multiple internet providers a
company decreases its chance of constraining bandwidths. Another way to optimize your
VPN is to update in accordance with most popular VPN protocol and work toward
standardization. To create and even more optimized VPN a company can also create
VPNs that work independently at each branch or subsidiary versus having one main
VPN.
The Future of VPNs
VPNs will become a more integral part of society. In the future VPNs will eventually
have a set protocol that will be use in all companies. New hardware and software is being
developed everyday with new features that effectively moderate VPNs. The future is
bright for VPNs they will become more customizable, cheaper, and more secure for
better, more effective business.
References
[1] Dunigan, Tom. Virtual Private Networks Retrieved October 15, 2007 Posted October
13, 2004 http://www.csm.ornl.gov/~dunigan/vpn.html
[2] McDonald, Christopher. Virtual Private Networks An overview RetrievedOctober 16,
2007 from Intranet Journal.com http://www.intranetjournal.com/foundation/vpn-1.shtml
[3] Virtual Private Networks. Retrieved October 16, 2007 from Cisco Posted October 12 ,
2006. http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/vpn.htm
[4] Virtual Private Networking Retrieved October 15, 2007
http://www.microsoft.com/technet/isa/2004/help/fw_VPNIntro.mspx?mfr=true
Joyce
8
CS 4110