Learning to Live and Work with
Virtual Private Networks
CEENET #6
Budapest Hungary
Richard Perlman
perl@lucent.com
Tunneling Defined
Creating a transparent virtual
network link between two network
nodes that is unaffected by physical
network links and devices.
1.2
CEENET #6 - Introduction to VPNs
Tunneling Explained


Tunneling is encapsulating one
protocol in another
Tunnels provide routable transport
for unroutable packets
encrypted, illegal addressing, non-supported

1.3
Tunneling itself provides no security
CEENET #6 - Introduction to VPNs
Tunneling Illustrated
1.4
CEENET #6 - Introduction to VPNs
Tunneling Illustrated
1.5
CEENET #6 - Introduction to VPNs
Tunneling Illustrated
LAN
B
LAN
A
1.6
CEENET #6 - Introduction to VPNs
Tunneling Illustrated
Step 2
Original IP
packet
encapsulated
in another IP
packet
Original IP
packet
New IP
Packet
Router A
Workstation
X
Original IP
packet dest Y
1.7
Router B
Tunnel
Tunnel
Step 1.
Step 3
Original, unroutable
IP Packet sent to router
Original packet
extracted, sent
to destination
CEENET #6 - Introduction to VPNs
Original IP
packet dest Y
Workstation
Y
Virtual Private Networks (VPN)

What is a VPN?
A means of augmenting a shared network
on a secure basis through encryption
and/or tunneling
Tunnels created between endpoints
for transporting data securely across
public networks

Benefits
Leverages existing Service Provider
infrastructure for private data
communications
Cost savings
1.8
CEENET #6 - Introduction to VPNs
What Is an IP VPN ?
Emulate a private network over a shared IP
Branch
network …..

Offices
Remote
Workers
Shared IP
Network
Internet
Corporate
Headquarters
Customers,
Suppliers

Why IP ?
 Service Differentiation, Global Connectivity, Flexibility, Platform for
fast growing new services (e.g E Commerce)
1.9
CEENET #6 - Introduction to VPNs
Types of IP VPN Services
Where is the VPN
Intelligence
Who Owns the VPN
Service Provider
Enterprise
Customer Premise
Managed CPE IP
VPN
Enterprise IP VPN
Service Provider
Network
Network Based IP
VPN
-
Service options




1.10
Applications : Dial, Intranet, Extranet
QoS :
End to end guarantees,
service
differentiation, best effort
Security :
Network based, user based
Infrastructure : Internet, IP, ATM, MPLS
CEENET #6 - Introduction to VPNs
One way to communicate…
Tokyo
Remote Access
Server
Internet
Web Sites
New York
HQ
Firewall
Router
CSU/DSU
CSU/DSU
PSTN (Dial)
or Dedicated Line
Router
Firewall
London
CSU/DSU
CSU/DSU
Router
Firewall
Remote Access
Server
1.11
CEENET #6 - Introduction to VPNs
Another view of network possibilities...
A Virtual Private Network
Tokyo
Firewall
Web Sites
New York
CSU/DSU
Router
w/L2TP
Firewall
Internet
Router
w/L2TP
London
CSU/DSU
CSU/DSU
Router
w/L2TP
Remote Clients
1.12
CEENET #6 - Introduction to VPNs
Internet as Backbone: Dial-Up
Internet/ISP Network
Secure Tunnel
VPN Gateway
Remote User
with VPN Software
Private Network
Hacker
1.13
CEENET #6 - Introduction to VPNs
Internet as Backbone: Branch
Offices
Internet/ISP Network
Branch Office
VPN Gateway
Secure Tunnel
VPN Router
Private Network
1.14
CEENET #6 - Introduction to VPNs
Shared Dial Networking
Shared Service Provider Network
Mobile Employee
IAG
VPN Gateway
Telecommuter
IAG
Tunneled
Traffic
Contractor
IAG
Private Network
1.15
CEENET #6 - Introduction to VPNs
Virtual Private Networks
Extends private network boundary across a shared network
using tunneling technology
IAG
Private
Servers
Tunnels
VPN
Gateway
VPN
Gateway
Internal
Users
1.16
Virtual Private
Dial-Up
Shared Network
CEENET #6 - Introduction to VPNs
Virtual Private
Dial-Up
Types of Tunnels

Two basic types of tunnels
Voluntary tunnels

Tunneling initiated by the end-user
(Requires client software on remote
computer)
Compulsory tunnels

Tunnel is created by NAS or router
(Tunneling support required on NAS or
1.17
Router)
CEENET #6 - Introduction to VPNs
Voluntary Tunnels

Will work with any network device
Tunneling transparent to leaf and
intermediate devices

But user must have a tunneling
client compatible with tunnel server
PPTP, L2TP, L2F, IPSEC, IP-IP, etc.

Simultaneous access to Intranet (via
tunnel) and Internet possible
Employees can use personal accounts for
corporate access
Remote office applications
 Dial-up VPN’s for low traffic volumes
1.18
CEENET #6 - Introduction to VPNs
A Voluntary PPTP Tunnel
PPTP Virtual Interface
PPP access protocol
Dial IP Access
Client Host
Serial Interface
Dial Access
Server
Dial Access Provider
1.19
CEENET #6 - Introduction to VPNs
PPTP Access
Server
VPN Service
Compulsory Tunnels


Will work with any client
But NAS must support same tunnel
method
But… Tunneling transparent to intermediate
routers

Network access controlled by tunnel
server
User traffic can only travel through tunnel
Internet access possible
 Must be by pre-defined facilities
 Greater control
 Can be monitored
1.20
CEENET #6 - Introduction to VPNs
Compulsory Tunnels

Static Tunnels
All calls from a given NAS/Router tunneled to
a given server

Realm-based tunnels
Each tunnel based on information in NAI
(I.e. user@realm)

User-based tunnels
Calls tunneled based on userID data stored
in authentication system
1.21
CEENET #6 - Introduction to VPNs
A Compulsory L2TP Tunnel
PPP access protocol
V.x modem protocol
L2TP
Dial Access
Server
Client Host
L2TP Access
Server
Non-routed
forwarding path
Dial Access Provider
1.22
CEENET #6 - Introduction to VPNs
Internet or VPN Service
RADIUS Support for Tunnels




Can define tunnel type
Can define/limit tunnel end points
Allows tunnel configuration to be
based on Calling-Station-ID or
Called-Station-ID
Additional accounting information
Tunnel end points
Tunnel ID, etc.
1.23
CEENET #6 - Introduction to VPNs
RADIUS Dial Up Security
Authenticates dial in users at boundary of private network
Private Network
RADIUS Protocol
Boundary
RAS
Hacker
1.24
User
Login
Remote User
CEENET #6 - Introduction to VPNs
RADIUS
Server
Protocol Comparison
PPTP
L2TP
IPSEC
X
X
X
Authenticated Tunnels
Compression
X
X
Smart Cards
X
X
Address Allocation
X
X
Multiprotocol
X
X
Strong Encryption
X
Flow Control
Requires Server
1.25
X
X
CEENET #6 - Introduction to VPNs
X
Virtual Private Networks
via the
Layer Two Tunneling Protocol
(L2TP)
1.26
CEENET #6 - Introduction to VPNs
L2TP Building Blocks

1.27
L2TP Access Concentrator (LAC)
–
Typically attached to the switched network fabric, such
as public switched telephone network (PSTN)
–
Only needs to implement the media, over which L2TP
operates in order to pass traffic to one or more LNS's
–
Typically the initiator of incoming calls and the receiver
of outgoing calls
CEENET #6 - Introduction to VPNs
L2TP Building Blocks (Con’t-)

1.28
L2TP Network Server (LNS)
–
Operates on any platform capable of PPP termination
–
Handles the server side of the L2TP protocol
 scalability is critical
–
Able to terminate calls arriving at any LAC's full range
of PPP interfaces (async, ISDN, PPP over ATM, PPP
over Frame Relay)
–
The initiator of outgoing calls
–
The receiver of incoming calls
CEENET #6 - Introduction to VPNs
L2TP VPN in the Network
Customer
Premise
Equipment
Service Provider
Remote,
Telecommuter Employees
LAC
ISDN
PSTN
LNS
Internet,
Frame Relay,
ATM Network
Corporate Network/
Servers
Analog
RADIUS
RADIUS
=
1.29
L2TP Encapsulated Tunnel
CEENET #6 - Introduction to VPNs
How Does a L2TP
VPN Device Work?


1.30
Service provider provides remote access outsourcing services
to utilize idle network infrastructure and provide their
customers with the cost savings of using a public network like
the Internet
The customer wants to connect their remote branch offices
and telecommuters to Corporate HQ servers
CEENET #6 - Introduction to VPNs
How Does a L2TP
VPN Device Work?
• STEP 1
– Remote users/telecommuters/branch offices initiate a session
or call into a L2TP Access Concentrator (LAC) device
STEP 1
Remote,
Telecommuter
Employees
Service Provider
CPE
LAC
ISDN
LNS
Corporate
Network/
Servers
Internet,
Frame Relay,
ATM Network
PSTN
Analog
RADIUS
1.31
CEENET #6 - Introduction to VPNs
RADIUS
How Does a L2TP
VPN Device Work?
• STEP 2
– The LAC sends an authentication request to a RADIUS Server,
which will authenticate the call and generate configuration
information about the creation, type of L2TP tunnel and end point
of the tunnel
Service Provider
Remote,
Telecommuter
Employees
CPE
LAC
ISDN
LNS
Corporate
Network/
Servers
Internet,
Frame Relay,
ATM Network
PSTN
Analog
STEP 2
1.32
RADIUS
CEENET #6 - Introduction to VPNs
RADIUS
How Does a L2TP
VPN Device Work?
• STEP 3
– Tunnel creation information is sent to the LAC which
encapsulates the users PPP Frames and tunnels them over
the network to the LNS device.
STEP 3
Remote,
Telecommuter
Employees
Service Provider
CPE
LAC
ISDN
LNS
Corporate
Network/
Servers
Internet,
Frame Relay,
ATM Network
PSTN
Analog
RADIUS
1.33
CEENET #6 - Introduction to VPNs
RADIUS
How Does a L2TP
VPN Device Work?
• STEP 4
– LNS serves as termination point where the encapsulated
L2TP frame is stripped and processed. The PPP Frame is
then passed on to higher layer protocols and users on the
local area network.
Service Provider
Remote,
Telecommuter
Employees
STEP 4
LAC
ISDN
CPE
LNS
Corporate
Network/
Servers
Internet,
Frame Relay,
ATM Network
PSTN
Analog
RADIUS
1.34
CEENET #6 - Introduction to VPNs
RADIUS
VPN Questions and Answers
(FAQs)
1.35
CEENET #6 - Introduction to VPNs
Q: What is a virtual private
network?

1.36
A VPN gives users a secure way to
access or link corporate network
resources over the Internet or other
public or private networks.
CEENET #6 - Introduction to VPNs
Q: What are the elements to a VPN?


1.37
VPNs typically include a number of
security features including encryption,
authentication, and tunneling.
VPN software may be included on
laptops and network workstations and
servers or may be included with routers
and remote access servers
CEENET #6 - Introduction to VPNs
Q: How do companies use VPNs?



1.38
I place of traditional dial-up
connections to provide access to
remote users and telecommuters
To connect LANs in different sites
instead of using the public switched
telephone network or dedicated leased
lines
To give customers, clients and
consultants access to corporate
resources.
CEENET #6 - Introduction to VPNs
Q: Is a VPN the same thing as
an extranet?

1.39
No. Most VPNs can be designed to work as
an extranet. But not all extranets are VPNs.
CEENET #6 - Introduction to VPNs
Q: Then what is an extranet?

1.40
Extranet is a general term than can
mean many different things. The
common definition of an extranet is a
type of network that gives outside
users, such as customers, clients and
consultants, access to data residing on
a corporation's network. Users access
the data through a Web brows er over
the Internet and typically need to enter
a user name and password before
access to the data is granted.
CEENET #6 - Introduction to VPNs
Q: How is this different from a
VPN?

1.41
A VPN can be used in a similar
manner, but typically a VPN has much
higher security associated with it.
Specifically, a VPN typically requires
the establishment of a tunnel into the
corporate network and the encryption
of data passed between the user's PC
and corporate servers.
CEENET #6 - Introduction to VPNs
Q: Why bother with a VPN, aren't there other
ways to give users secure access to network
resources?


1.42
There are different ways to control
access and provide secure access to
network resources. A VPN is just one of
those ways.
However, a well implemented VPN is
transparent to the user and should
require no special skills or knowledge
to use
CEENET #6 - Introduction to VPNs
Q: What are other methods for accessing
network resources over the Internet?

1.43
Depending on the level of security
needed, a company could choose to
use an extranet approach or a
customized approach that combines
password protection of network servers
with third-party auth entication systems.
CEENET #6 - Introduction to VPNs
Q: Why do companies use VPNs?

1.44
There are many reasons to use a VPN.
The most common reasons are
(1) to save telecommunications costs
by using the Internet to carry traffic
(rather than paying long distance
phone charges)
(2) to save telecommunications costs
by reducing the number of access lines
into a corporate site, and
(3) to save operational costs by
outsourcing the management of remote
access equipment to a service
CEENET #6 - Introduction to VPNs
Q: How does a VPN cut long
distance phone charges?

1.45
Long distance phone charges are
reduced with a VPN because a user
typically dials a local call to an ISP
rather than placing a long distance or
international call directly to his or her
company.
CEENET #6 - Introduction to VPNs
Q: How do VPNs help reduce the
number of access lines.

1.46
Many companies pay monthly charges
for two types access lines:
(1) high-speed links for their Internet
access
(2) frame relay, ISDN Primary Rate
Interface or T1 lines to carry data .
A VPN may allow a company to carry
the data traffic over its Internet access
lines, thus reducing the need for some
installed lines.
CEENET #6 - Introduction to VPNs
Q: How can a VPN save operational
costs?

1.47
Some companies hope to save
operational costs by outsourcing their
remote access to an ISP or other type
of service provider. The idea is that by
giving users access to the network via
a VPN, a company can get rid of its
modem pools and remote access
servers. The operational cost savings
come from not having to manage those
devices.
CEENET #6 - Introduction to VPNs
Performance Issues
1.48
CEENET #6 - Introduction to VPNs
Q: What about VPN performance?


1.49
There are several issues to consider
when exploring VPN performance.
Some are related to the Internet itself.
Is it available? What is the latency for
packets traveling across the network?
Other performance issues are related
to the specific VPN applications.
In general, VPNs implemented over the
public Internet will have poorer
performance than VPNs implemented
over private IP networks.
CEENET #6 - Introduction to VPNs
Q: What are the concerns about
network availability?

1.50
The Internet occasionally experiences
outages. For example, in 1997 there
was a system-wide availability problem
when a corrupted master list of Domain
Names was distributed to the handful
of root servers that are the heart of the
Internet. More frequently, a particular
Internet service provider may
experience equipment problems
leading to a service outage that can
last from hours to days.
CEENET #6 - Introduction to VPNs
Q: What can be done to ease concerns
about network availability?

1.51
Many service providers are trying to
improve the reliability of their networks
to prevent outages. While they cannot
guarantee 100 percent availability,
many providers are offering service
level agreements that offer credits or
refunds if network availability falls
below a certain level.
CEENET #6 - Introduction to VPNs
Q: How good are the network availability
service level agreements (SLAs)?

1.52
Most of the service providers with
nation-wide backbones guarantee the
network will be available at least 99.6
percent of the time. That translates into
a maximum outage time of about 6 .5
minutes a day before the refund or
credits kick in. Some offer higher
availability with refunds or credits
kicking in for outages of 3 minutes per
day or longer.
CEENET #6 - Introduction to VPNs
Q: What are the short-comings of
these SLAs?

1.53
All VPN SLAs offered today only apply
to the specific service provider's
network. If the traffic crosses from one
provider's network to another, the SLAs
do not apply.
CEENET #6 - Introduction to VPNs
Q: What about latency?

1.54
To date, there are no VPN SLAs that
address latency. The service providers
say they will need a number of things,
like the ability to offer quality of service
guarantees, to happen before latency
SLAs will be offered.
CEENET #6 - Introduction to VPNs
Q: Are there other issues that will
prevent latency-related VPN SLAs?

1.55
Yes. IT managers will not see end-toend latency SLAs for VPNs as they get
for other services such as a Frame
Relay service that carriers timesensitive SNA terminal to host traffic.
One of the reasons end-to-end latency
SLAs will not be practical for VPN s is
that there are many variables, such as
the type of encryption used and the
client's process power, that determine
end-to-end performance in VPN
applications.
CEENET #6 - Introduction to VPNs
VPN Technology Questions
1.56
CEENET #6 - Introduction to VPNs
Q: What are the common
tunneling protocols?

There are currently three major
tunneling protocols for VPNs. They are:
Point-to-Point Tunneling Protocol (PPTP)
Internet Protocol Security (IPSec)
Layer 2 Tunneling Protocol (L2TP)

Two proprietary protocols often seen
are:
Ascend’s ATMP
Cisco’s L2F
1.57
CEENET #6 - Introduction to VPNs
Q: What types of encryption can
be used in VPN applications.

1.58
Virtually all of the common encryption
technologies can be used in a VPN.
Most VPN equipment vendors give the
user a choice. IT managers can often
select anything from the 40-bit built-in
encryption offered by Microsoft under
Windows 95 to more robust, but less
exportable, encryption technologies like
triple-DES.
CEENET #6 - Introduction to VPNs
Q: How are VPN users
authenticated?

1.59
VPN vendors support a number of
different authentication methods. Many
vendors now support a wide range of
authentication techniques and products
including such services as RADIUS,
Kerberos, token cards, NDS, NT
Domain, and software and hardwarebased dynamic passwords.
CEENET #6 - Introduction to VPNs
Q: Can user access and authentication be
linked to existing access control systems?


1.60
Yes. Some vendors, such as Lucent,
support existing standards like
RADIUS.
Other VPN vendors, notably Aventail,
Novell, and New Oak Communications,
provide ways to link VPN access rights
to defined access rights such as those
in Windows NT Workgroup lists, Novell
Directory Services or Binderies.
CEENET #6 - Introduction to VPNs
Net 10.x.1.0
Net 10.x.2.0
Net 10.x.2.0
LAC
$
Workstation
10.x.2.128
Telnet Server
10.x.2.5
Terminal Server
10.x.1.2
LNS
10.x.1.1
10.x.2.1
Router
This RADIUS server is used
to select the LNS based on
the DNIS, Realm or other
information
RADIUS Server
10.x.2.3
This RADIUS server is used
to authenticate the user
L2TP Tunnel Lab Diagram
1.61
USER
DB
CEENET #6 - Introduction to VPNs
Net 10.x.2.0
Net 10.x.1.0
Net 10.x.2.0
LAC
$
LNS
USER
DB
L2TP Tunnel Lab Diagram
1.62
CEENET #6 - Introduction to VPNs