vpn_report.pdf
TRANSCRIPT
-
VPN
Seminar Report
submitted for the degree of
master of
computer applications
macs department
NATIONAL INSTITUTE OF TECHNOLOGY KARNATAKA
surathkal mangalore
FEB 2015
submitted by: submitted to:
ATUL BILUNG Mrs. Sujatha D Achar
13ca15 Mr. Suresh Kumar
mca iv Semester
-
DECLARATION
I hereby declare that the seminar report entitled VPN which is be-
ing submitted to the National Institute Of Technology Kar nataka,
Surathkal, in partial fulfillment of the requirements for mandatory
learning course(MLC) of master of computer applications in the de-
partment of mathematical and computational sciences, is a bonafide
report of the work prepared by me. This material is collected from
various sources with utmost care and is based on facts and truth.
NAME - ATUL BILUNG
ROLL NO. 13CA15
MCA 4th Sem
PLACE -NITK, SURATHKAL
-
CERTIFICATE
This is to certify that the P.G. Seminar Report entitled VPN sub-
mitted by ATUL BILUNG (ROLL NO. 13CA15 ) as the record
of the work carried out by them is accepted as the P.G. Seminar
Work Report submission in partial fulfillment of the requirements
for mandatory learning course of Master of Computer Application
in the Department of Mathematical and Computational Sciences.
-
ABSTRACT
Virtual Private Networks is a concept introduced to imple-
ment global Wide Area Network(WAN) on the Internet. This way
enormous costs involved in the traditional implementation of these
networks i.e. through dedicated lines or satellite links is reduced
considerably. A way to maintain fast, secure and reliable communi-
cations is attained wherever the offices are.
In the VPN, Internet is used as the data pipelined replacing the tra-
ditional datalines. This approach is just right for small and medium
sized business firms. Now, many companies are creating their own
VPN (virtual private network) to accommodate the needs of remote
employees and distant offices. Each remote member of your network
can communicate in a secure and reliable manner using the Internet
as the medium to connect to the private LAN, by simply making
a contract with the ISP. A VPN can grow to accommodate more
users and different locations much easier than a leased line. In fact,
scalability is a major advantage that VPNs have over typical leased
lines. Unlike with leased lines, where the cost increases in propor-
tion to the distances involved, the geographic locations of each office
matter little in the creation of a VPN.
-
Contents
1 Introduction 1
2 What Makes a VPN? 2
3 Types of VPN: 2
3.1 Remote-Access VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.2 Site-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.3 Extranet VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4 TYPES OF VPN PRODUCT 5
5 VPN SECURITY 6
6 Security 6
6.1 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
6.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
6.3 Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
6.4 Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
7 Conclusion 10
8 References 11
List of Figures
1 Remote Acess Before VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Remote Acess After VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3 Site to Site Before VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4 Site to Site After VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5 Extranet VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
6 The Passenger,Capsule and Carrier in the 7 Layer OSI model . . . . . . . . . . . 9
-
Virtual Private Network
1 Introduction
VPN (Virtual Private Network) is a generic term used to describe a com-
munication network that uses any combination of technologies to secure a connec-
tion tunnelled through an otherwise unsecured or untrusted network. Instead of
using a dedicated connection, such as leased line, a virtual connection is made
between geographically dispersed users and networks over a shared or public net-
work, like the Internet. Data is transmitted as if it were passing through private
connections.
VPN transmits data by means of tunnelling. Before a packet is transmitted, it is
encapsulated (wrapped) in a new packet, with a new header. This header provides
routing information so that it can traverse a shared or public network, before it
reaches its tunnel endpoint. This logical path that the encapsulated packets travel
through is called a tunnel. When each packet reaches the tunnel endpoint, it is
decapsulated and forwarded to its final destination. Both tunnel endpoints need
to support the same tunnelling protocol. Tunnelling protocols are operated at
either the OSI (Open System Interconnection) layer two (data-link layer), or layer
three (network layer). The most commonly used tunnelling protocols are IPsec,
L2TP, PPTP and SSL. A packet with a private non-routable IP address can be
sent inside a packet with globally unique IP address, thereby extending a private
network over the Internet.
My Definition: Basically a VPN is a private network that uses a public network
(usually the Internet) to connect remote sites or users together. Instead of using
a dedicated, real-world connection such as leased line, a VPN uses virtual con-
nections routed through the Internet from the companys private network to the
remote site or employee.
1
-
2 What Makes a VPN?
A well-designed VPN can greatly benefit a company. For example, it can:
Extend geographic connectivity
Improve security
Reduce operational costs versus traditional WAN
Reduce transit time and transportation costs for remote users
Improve productivity
Simplify network topology
Provide global networking opportunities
Provide telecommuter support
Provide broadband networking compatibility
Provide faster ROI (return on investment) than traditional WAN
A well-designed VPN should have the following features:
It should incorporate:
Security
Reliability
Scalability
Network management
Policy management
3 Types of VPN:
1. Remote-Access VPN
2. Site-to-Site VPN
3. Extranet VPNs
2
-
3.1 Remote-Access VPN
Remote-access, also called a virtual private dial-up network (VPDN), is a user-
to-LAN connection used by a company that has employees who need to connect
to the private network from various remote locations. Normally, a company that
wishes to set up a large remote-access VPN will outsource to an enterprise service
provider (ESP). The ESP sets up a network access server (NAS) and provides the
remote users with desktop client software for their computers. The telecommuters
can then dial a Low Call or Free number (0800, 0500 etc) to reach the NAS and
use their VPN client software to access the corporate network.
Figure 1: Remote Acess Before VPN
Figure 2: Remote Acess After VPN
3
-
3.2 Site-to-Site VPN
Site-to-Site VPNs are an alternative WAN infrastructure that used to connect
branch offices, home offices, or business partners sites to all or portions of a com-
panys network. VPNs do not inherently change private WAN requirements, such
as support for multiple protocols, high reliability, and extensive scalability, but
instead meet these requirements more costeffectively and with greater flexibility.
A company can connect multiple fixed sites over a public network such as the
Internet through the use of dedicated equipment and large-scale encryption.
Site-to-site VPNs can be one of two types:
Intranet-based - If a company has one or more remote locations that they wish
to join in a single private network, they can create an intranet VPN to connect
LAN to LAN.
Extranet-based - When a company has a close relationship with another com-
pany (for example, a partner, supplier or customer), they can build an extranet
VPN that connects LAN to LAN, and that allows all of the various companies to
work in a shared environment.
Figure 3: Site to Site Before VPN
Figure 4: Site to Site After VPN
4
-
3.3 Extranet VPN
Extranet VPNs link customers, suppliers, partners, or communities of interest
to a corporate Intranet over a shared infrastructure using dedicated connections.
Businesses enjoy the same policies as a private network, including security, QoS,
manageability, and reliability.
Figure 5: Extranet VPN
4 TYPES OF VPN PRODUCT
VPNs can be broadly categorised as follows:
1. A firewall-based VPN is one that is equipped with both firewall and VPN
capabilities. This type of VPN makes use of the security mechanisms in
firewalls to restrict access to an internal network. The features it provides in-
clude address translation, user authentication, real time alarms and extensive
logging.
2. A hardware-based VPN offers high network throughput, better performance
and more reliability, since there is no processor overhead. However, it is also
more expensive.
5
-
3. A software-based VPN provides the most flexibility in how traffic is managed.
This type is suitable when VPN endpoints are not controlled by the same
party, and where different firewalls and routers are used. It can be used with
hardware encryption accelerators to enhance performance.
4. An SSL VPN allows users to connect to VPN devices using a web browser.
The SSL (Secure Sockets Layer) protocol or TLS (Transport Layer Security)
protocol is used to encrypt traffic between the web browser and the SSL VPN
device. One advantage of using SSL VPNs is ease of use, because all standard
web browsers support the SSL protocol, therefore users do not need to do any
software installation or configuration.
5 VPN SECURITY
VPN uses encryption to provide data confidentiality. Once connected, the VPN
makes use of the tunnelling mechanism described above to encapsulate encrypted
data into a secure tunnel, with openly read headers that can cross a public network.
Packets passed over a public network in this way are unreadable without proper
decryption keys, thus ensuring that data is not disclosed or changed in any way
during transmission.
VPN can also provide a data integrity check. This is typically performed using
a message digest to ensure that the data has not been tampered with during
transmission.
By default, VPN does not provide or enforce strong user authentication. Users
can enter a simple username and password to gain access to an internal private net-
work from home or via other insecure networks. Nevertheless, VPN does support
add-on authentication mechanisms, such as smart cards, tokens and RADIUS.
6 Security
Nearly all VPNs share three fundamental security features:
1. Authentication
2. Encryption
3. Tunneling
6
-
As we mentioned earlier, traveling in forest could be dangerous without the pro-
tection of a vehicle. The internet is similar in that private data sent though the
public networks without protection of tunneling could be stolen, intercepted, and
corrupted.
6.1 Authentication
Before establishing a secure channel for data transmission (encryption and tun-
neling), one must first authenticate both endpoints of the tunnel. This means
proving the identity of both the client and the server.
6.2 Encryption
All modern VPNs use encryption to scramble data into cipher-text before sending
the packets of data through the Internet. When the data packets arrive at their
destination, they are decrypted into readable text by the recipient.
There are two basic types of cryptography: 1) symmetric and 2) asymmetric.
Asymmetric cryptography is more complex than symmetric and utilizes math-
ematically related public and private key pairs. This method is often used for
smaller, more sensitive packets of data such as during authentication.
Symmetric cryptography has performance edge over asymmetric cryptography.
Thus, it is commonly used in the tunneling process to exchange larger packets
of data between two parties who have already authenticated each other using
asymmetric cryptography.
VPN commonly uses asymmetric encryption to exchange keys and symmetric
encryption to exchange data. Asymmetric systems are more secure, but symmetric
systems have better performance. Both the client and server use asymmetric key
exchange to generate a private key. Then they derive a symmetric public key from
the private one to send the public key to each other. Each VPN endpoint now has
its own private key as well as the other endpoints public key.
6.3 Tunneling
VPN technology is based on the idea of tunneling. In brief, tunneling is the process
of placing an entire packet within another packet and sending it over a network.
7
-
Tunneling is comprised of three parts:
1. The Passenger
2. The Capsule
3. The Carrier
The Passenger is the actual data being transmitted. The Capsule is the encrypting
protocol being used such as PPTP, IPSec or L2TP. The Carrier is the transport
protocol such as TCP/IP, NetBEUI, NetBIOS, or IPX over which the data is sent.
6.4 Tunneling Protocols
There are currently three major tunneling protocols for VPNs. They include the
Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPSec),
and Layer 2 Tunneling Protocol (L2TP).
These three protocols are incompatible with each other.
1. Point-to-Point Tunneling Protocol (PPTP): is based on the Point-
to-Point-Protocol (PPP) which supports non-IP protocols such as NetBEUI,
Appletalk, and IPX/SPX. PPTP exists at the Data Link layer of the OSI
model as seen in Figure 6. PPTP supports 128-bit encryption and will use
any authentication scheme supported by PPP.
2. Internet Protocol Security (IPsec): is the second most popular VPN
protocol. It supports stronger encryption than PPTP. IPsec exists at the
Network Layer of the OSI model as seen in Figure 6. IPSec has two en-
cryption modes: tunnel and transport. Tunnel encrypts the header and the
payload of each packet while transport only encrypts the payload. IPSec can
encrypt data between routers, between clients and routers, between routers
and firewalls, and between clients and servers.
3. Layer Two Tunneling Protocol (L2TP): is a protocol implemented pri-
marily in Cisco products. Like PPTP, L2TP exists at the Data Link layer of
the OSI model as seen in Figure 6. L2TP can be used as a tunneling protocol
for site-to-site and remote access VPNs. L2TP can create a tunnel between
routers, between a NAS and a router, and between a client and a router.
8
-
Figure 6: The Passenger,Capsule and Carrier in the 7 Layer OSI model
9
-
7 Conclusion
VPN provides a means of accessing a secure, private, internal network over insecure
public networks such as the Internet. A number of VPN technologies have been
outlined, among which IPsec and SSL VPN are the most common. Although a
secure communication channel can be opened and tunneled through an insecure
network via VPN, client side security should not be overlooked.
VPN is a powerful tool that increases company and individual productivity. It
increases productivity because employees are no longer restricted to the company
campus. This allows the company to expand its reach and project itself into
global markets. However, Network Administrators should grant VPN access to
users with a certain level of discretion. Companies should develop and enforce
security policies that list requirements that must be met by employees to qualify
for remote VPN access.
10
-
8 References
http://www.cisco.com/warp/public/779/largeent/design/vpn.html
http://en.wikipedia.org/wiki/Virtual private network
http://gizmodo.com/5990192/vpns-what-they-do-how-they-work-and-why-youre-dumb-for-not-using-one
http://computer.howstuffworks.com/vpn7.htm
11
Seminar-Front.pdfabstract.pdfseminar.pdf