Y398
INTERNSHIP AND PROFESSIONAL PRACTICE
FALL 2002
BY:
WILL LEWIS
DEPARTMENT OF COMPUTER AND INFORMATION SCIENCES
INDIANA UNIVERSITY SOUTH BEND
VIRTUAL PRIVATE NETWORKS (VPN)
Page 1 of 31
Virtual Private Networks (VPN)
VIRTUAL PRIVATE NETWORKS (VPN)
BY WILL LEWIS
INTRODUCTION
A recent trend in industry is for their employees to become increasingly more mobile and
for their network needs to grow. With these new innovations comes a greater demand on
company’s information technology managers.
These information managers must plan and
implement strategies that will allow for the expansion of company resources well beyond the
safe confines of the company intranet. One of the more popular solutions to an expanding local
area networks (LAN) into a much larger wide area networks (WAN) or even an international
network is the implementation of a virtual private network or VPN. This combination of
software and hardware allows information managers to safely send and receive data over the use
of the Internet, without having to support and maintain costly dial in lines.
With this
implementation comes new security requirements in order to secure and maintain vital company
information. Many vendors also exist that allow small to medium sized companies to completely
outsource their VPN solution as opposed to implementing and maintaining such a complex
system themselves. This paper attempts to discuss the different aspects of a VPN solution to
network expansion problems and mobile users. It is divided into five sections including VPN
Specifications, Basic VPN Requirements, Tunneling, Advanced Security Features, and
Conclusion.
VPN SPECIFICATIONS
Basically a virtual private network is composed of a VPN Server at the company end of
the connection (typically with access to an company’s intranet), a secure VPN Tunnel to transmit
and receive data, and a VPN client at the other end (typically a mobile or remote location user).
Page 2 of 31
Virtual Private Networks (VPN)
The data travels between these two points based on a transit internetwork, which encrypts the
data to preserve it.
Microsoft (6)
Depending on the requirements of a particular business, a virtual private network can be
implemented to allow communication between any network resource in a particular branch office
with any network resource at the corporate office, or the focus can be narrowed to where a VPN
only allows an individual network resource in the branch office to connect to only one or two
network resources at the corporate headquarters. These different requirements represent some of
the characteristics of basic network connectivity that should be addressed before a VPN solution
is considered. Some other requirements used to determine network connectivity include security
policy, business models, intranet server access, application requirements, data sharing, and
application server access. Depending on the needs of a business, a VPN can be configured to
simply expand an already existing intranet, or it can be configured to allow other business
partners to have access to certain aspects of the business also. These are referred to as intranet
VPN and extranet VPN. With an intranet VPN, all network and VPN resources are managed by
a single organization. With an extranet VPN, no single organization has management control
over all network and VPN resources; rather each company manages its own VPN equipment.
The extranet VPN configuration process involves first configuring a portion of the VPN and then
exchanging with partner VPN management organizations the needed subset of configuration
information.
Page 3 of 31
Virtual Private Networks (VPN)
BASIC VPN REQUIREMENTS
Once the company has established business requirements and has decided whether they
are going to implement an intranet VPN or an extranet VPN, they must understand the basic
requirements of VPN and consider that these requirements stand true regardless of if they choose
to implement an in house solution, or if they outsource. These criterion define characteristics
that they should seek out in commercially available packages or that they should implement if
they are producing their own VPN. Therefore, any VPN solution should provide at least all of
the following:
 User Authentication. The solution must verify the VPN client’s identity and restrict
VPN access to authorized users only. It must also provide audit and accounting records
to show who accessed what information and when.
 Address Management. The solution must assign a VPN client’s address on the intranet
and ensure that private addresses are kept private.
 Data Encryption. Data carried on the public network must be rendered unreadable to
unauthorized clients on the network.
 Key Management. The solution must generate and refresh encryption keys for the client
and server.
 Multiprotocol Support. The solution must handle common protocols used in the public
network. These include IP(Appendix I), Internetwork Packet Exchange (IPX)(Appendix II), and
so on.
An Internet VPN solution based on Point-To-Point Tunneling Protocol (PPTP)(Appendix III)
or Layer Two Tunneling Protocol (L2TP)(Appendix
IV)
meets all of these basic requirements and
takes advantage of the broad availability of the Internet. Other solutions, including Internet
Page 4 of 31
Virtual Private Networks (VPN)
Protocol Security (IPSec)(Appendix V), meet only some of these requirements, but remain useful for
specific situations.
TUNNELING
Tunneling is a method of using an internetwork infrastructure to transfer data for one
network over another network. The data to be transferred (or payload) can be the frames (or
packets) of another protocol. In order to proceed in a logical manner a distinction should be
made between the notion of a packet and a frame. By definition, a frame is a packet as it is
transmitted across a serial line. The term derives from character oriented protocols that added
special start-of-frame and end-of-frame characters when transmitting packets.
Frames are
essentially the objects that physical networks transmit. A packet is any small block of data sent
across a network. It essentially makes up the frames that are transmitted across the physical
layers of the network. We use the Instead of sending a frame as it is produced by the originating
node, the tunneling protocol encapsulates the frame in an additional header. The additional
header provides routing information so that the encapsulated payload can traverse the
intermediate network.
Microsoft (6)
The encapsulated packets are then routed between tunnel endpoints over the
internetwork.
The logical path through which the encapsulated packets travel through the
internetwork is called a tunnel. Once the encapsulated frames reach their destination on the
Page 5 of 31
Virtual Private Networks (VPN)
internetwork, the frame is decapsulated and forwarded to its final destination.
Tunneling
includes this entire process (encapsulation, transmission, and decapsulation of packets).
For a tunnel to be established, both the tunnel client and the tunnel server must be using
the same tunneling protocol. Tunneling technology can be based on either a Layer 2 or a Layer 3
tunneling protocol.
These layers correspond to the Open Systems Interconnection (OSI)
Reference Model(Appendix XVI). Layer 2 protocols correspond to the data-link layer and use frames
as their unit of exchange. PPTP and L2TP or Layer 2 tunneling protocols; both encapsulate the
payload in a point-to-point or PPP(Appendix
VI)
frame to be sent across an internetwork.
L3TP(Appendix VII) or Layer 3 protocols correspond to the Network layer, and use packets. IPSec
tunnel mode is an example of a Layer 3 tunneling protocol and encapsulate IP packets in an
additional IP header before sending them across an IP internetwork.
ADVANCED SECURITY FEATURES
The Internet facilitates the creation of VPNs from anywhere which means that networks
need strong security features to prevent unwelcome access to private networks and to protect
private data as it traverses the public network. User authentication and data encryption have
already been discussed, but this next section provides a brief look ahead to the stronger
authentication and encryption capabilities that are available with Extensible Authentication
Protocol (EAP)(Appendix VIII) and IPSec.
The first advanced security feature worthy of discussion is symmetric (private-key)
encryption and asymmetric (public-key) encryption. Symmetric encryption (also known as
conventional encryption) is based on a secret key that is shared by both communicating parties.
The sending party uses the secret key as part of the mathematical operation to encrypt (or
encipher) plain text to cipher text. The receiving party uses the same secret key to decrypt (or
Page 6 of 31
Virtual Private Networks (VPN)
decipher) the cipher text to plain text. Examples of symmetric encryption schemes are the RSA
RC4 algorithm(Appendix
IX)
(which provides the basis for Microsoft Point-To-Point Encryption
(MPPE)(Appendix X), Data Encryption Standard (DES)(Appendix XI), the International Data Encryption
Algorithm (IDEA)(Appendix XII), and the Skipjack encryption technology (Appendix XIII) proposed by the
United States government. Asymmetric encryption uses two different types for each user: one is
a private key known only to this one user; the other is a corresponding public key, which is
accessible to anyone. The private and public keys are mathematically related by the encryption
algorithm. One key is used for encryption and the other for decryption, depending on the nature
of the communication service being implemented.
In addition, public key encryption
technologies allow digital signatures to be placed on messages. A digital signature uses the
sender’s private key to encrypt some portion of the message. When the message is received, the
receiver uses the sender’s public key to decipher the digital signature to verify the sender’s
identity.
With symmetric encryption, both sender and receiver have a shared secret key. The
distribution of the secret key must occur (with adequate protection) prior to any encrypted
communication. However, with asymmetric encryption, the sender uses a private key to encrypt
or digitally sign messages, while the receiver uses a public key to decipher these messages. The
public key can be freely distributed to anyone who needs to receive the encrypted or digitally
signed messages. The sender needs to carefully protect the private key only. To secure the
integrity of the public key, the public key is published with a certificate. A certificate (or public
key certificate) is a data structure that is digitally signed by a certification authority (CA) – an
authority that users of the certificate can trust. The certificate contains a series of values, such as
the certificate name and usage, information identifying the owner of the public key, the public
Page 7 of 31
Virtual Private Networks (VPN)
key itself, an expiration date, and the name of the certificate authority. The CA uses its private
key to sign the certificate. If the receiver knows the public key of the certificate authority, the
receiver can verify that the certificate is indeed from the trusted CA and, therefore, contains
reliable information and a valid public key.
Certificates can be distributed electronically
(through Web access or e-mail), on smart cards, or on floppy disks.
CONCLUSION
Virtual private networks allow users or corporations to connect to remote servers, branch
offices, or to other companies over a public internetwork, while maintaining secure
communications. In all of these cases, the secure connection appears to the user as a private
network communication – despite the fact that this communication occurs over a public
internetwork. VPN technology is designed to address issues surround the current business trend
toward increased telecommuting and widely distributed global operations, where workers must
be able to connect to central resources and communicate with each other.
Page 8 of 31
Virtual Private Networks (VPN)
APPENDIXES
Page 9 of 31
Virtual Private Networks (VPN)
APPENDIX I: IP (Internet Protocol)
(Information From Source In Works Cited #11)
IP (INTERNET PROTOCOL)
Internet Protocol (IP) is the method or protocol by which data is sent from one computer
to another on the Internet. Each computer (known as a host) on the Internet has at least one IP
address that uniquely identifies it from all other computers on the Internet. When you send or
receive data (for example, an e-mail note or a Web page), the message gets divided into little
chunks called packets. Each of these packets contains both the sender’s Internet address and the
receiver’s address. Any packet is sent first to a gateway computer that understands a small part
of the Internet. The gateway computer reads the destination address and forwards the packet to
an adjacent gateway that in turn reads the destination and so forth across the Internet until one
gateway recognizes the packet as belonging to a computer within its immediate neighborhood or
domain. That gateway then forwards the packet directly to the computer whose address is
specified.
Because a message is divided into a number of packets, each packet can, if necessary, be
sent by a different route across the Internet. Packets can arrive in a different order than the order
they were sent in. The Internet Protocol just delivers them. It’s up to another protocol, the
Transmission Control Protocol (TCP) to put them back in the right order.
IP is a connectionless protocol, which means that there is no continuing connection
between the end points that are communicating. Each packet that travels through the Internet is
treated as an independent unit of data without any relation to any other unit of data. (The reason
the packets do get put in the right order is because of TCP, the connection-oriented protocol that
keeps track of the packet sequence in a message.) In the Open Systems Interconnection (OSI)
communication model, IP is in layer 3, the Networking Layer.
The most widely used version of IP today is Internet Protocol Version 4 (IPv4).
However, IP Version 6 (IPv6) is also beginning to be supported. IPv6 provides for much longer
addresses and therefore for the possibility of many more Internet users. IPv6 includes the
capabilities of IPv4 and any server that can support IPv6 packets can also support IPv4 packets.
Page 10 of 31
Virtual Private Networks (VPN)
APPENDIX II: Internetwork Packet Exchange (IPX)
(Information From Source In Works Cited #12)
INTERNETWORK PACKET EXCHANGE (IPX)
IPX (Internetwork Packet Exchange) is a networking protocol from Novell that
interconnects networks that use Novell’s NetWare clients and servers. IPX is a datagram or
packet protocol. IPX works at the Network Layer of communication protocols and is
connectionless (that is, it doesn’t require that a connection be maintained during an exchange of
packets as, for example, a regular voice phone call does.)
Packet acknowledgment is managed by another Novell protocol, the Sequenced Packet
Exchange (SPX). Other related Novell NetWare protocols are: the Routing Information Protocol
(RIP), the Service Advertising Protocol (SAP), and the NetWare Link Services Protocol (NLSP).
Page 11 of 31
Virtual Private Networks (VPN)
APPENDIX III: Point-To-Point Tunneling Protocol (PPTP)
(Information From Source In Works Cited #5)
POINT-TO-POINT TUNNELING PROTOCOL (PPTP)
You can access a private network through the Internet or other public network by using a
virtual private network connection with the Point-to-Point Tunneling Protocol (PPTP). PPTP
enables the secure transfer of data from a remote computer to a private server by creating a VPN
across TCP/IP-based data networks. PPTP supports on-demand, multiprotocol, virtual private
networking over public networks, such as the Internet.
Developed as an extension of the Point-to-Point Protocol (PPP), PPTP adds a new level
of enhanced security and multiprotocol communications over the Internet. Specifically, by using
the new Extensible Authentication Protocol (EAP), data transfer through a PPTP-enabled VPN is
as secure as within a single LAN at a corporate site.
PPTP tunnels or encapsulates, IP, IPX, or NetBEUI protocols inside of PPP datagrams.
This means that you can remotely run applications that are dependent upon particular network
protocols. The tunnel server performs all security checks and validations, and enables data
encryption, which makes it much safer to send information over non-secure networks. You can
also use PPTP in private LAN-to-LAN networking.
PPTP does not require a dial-up connection. It does, however, require IP connectivity
between your computer and the server. If you are directly attached to an IP LAN and can reach a
server, then you can establish a PPTP tunnel across the LAN. If, however, you are creating a
tunnel over the Internet, and your normal Internet access is a dial-up connection to an ISP, you
must dial up your Internet connection before you can establish the tunnel.
Page 12 of 31
Virtual Private Networks (VPN)
APPENDIX IV: Layer Two Tunneling Protocol (L2TP)
(Information From Source In Works Cited #6)
LAYER TWO TUNNELING PROTOCOL (L2TP)
You can access a private network through the Internet or other public network by using a
virtual private network connection with the Layer Two Tunneling Protocol (L2TP). L2TP is an
industry-standard Internet tunneling protocol with roughly the same functionality as the Point-toPoint Tunneling Protocol (PPTP). The Windows 2000 implementation of L2TP is designed to
run natively over IP networks. This implementation of L2TP does not support native tunneling
over X.25, Frame Relay, or ATM networks.
Based on the Layer Two Forwarding (L2F) and Point-to-Point Tunneling Protocol
(PPTP) specifications, you can use L2TP to set up tunnels across intervening networks. Like
PPTP, L2TP encapsulates Point-to-Point Protocol (PPP) frames, which in turn encapsulate IP,
IPX, or NetBEUI protocols, thereby allowing users to remotely run applications that are
dependent upon specific network protocols.
With L2TP, the computer running Windows 2000 Server that you are logging on to
performs all security checks and validations, and enables data encryption, which makes it much
safer to send information over non-secure networks. By using the new Internet Protocol security
(IPSec) authentication and encryption protocol, data transfer through a L2TP-enabled VPN is as
secure as within a single LAN at a corporate site.
The Data-Link layer is the protocol layer in a program that handles the moving of data in
and out across a physical link in a network. The Data-Link layer is layer 2 in the Open Systems
Interconnect (OSI) model for a set of telecommunication protocols.
The Data-Link layer contains two sub layers that are described in the IEEE-802 LAN
standards:

Media Access Control (MAC)

Logical Link Control (LLC)
The Data-Link layer ensures that an initial connection has been set up, divides output
data into data frames, and handles the acknowledgements from a receiver that the data arrived
successfully. It also ensures that incoming data has been received successfully by analyzing bit
patterns
at
special
places
in
the
frames.
Page 13 of 31
Virtual Private Networks (VPN)
APPENDIX V: Internet Protocol Security (IPSec)
(Information From Source In Works Cited #21)
INTERNET PROTOCOL SECURITY (IPSEC)
The IPSec protocol suite is a set of IP extensions that provide security services at the
network level that is compatible with the current version of IP (IPv4) as well as IPv6.
IPSec protocols are standards-based and provide the three factors needed for secure
communications – authentication, integrity, and confidentiality – even in large networks. The
end-result is that with IPSec-compliant products, you can build a secure VPN in any existing IPbased network.
Network level security is the feature that set IPSec apart from other Internet security
technologies, which secure communications at the application layer and are application specific.
Because IPSec secures communications at the network layer (OSI layer 3), it is effective
regardless of the application being used.
Another differentiating factor is that the network layer in IP networks is entirely
homogeneous, and it’s the only layer that is. This means that any communication passing
through an IP network has to use the IP protocol. In other layers, different protocols hold sway
in different areas for different reasons, depending on the network architecture and the type of
communication. But sooner or later everything has to go through the network layer, and there is
only one protocol used in that layer – IP. So, if the network layer is secure, the network itself is
secure. This is precisely what IPSec is designed to do.
In other words, if you use IPSec suite where you would normally use IP, you secure all
communications in your network – for all applications and for all users – more transparently than
you would using any other approach.
The IPSec protocol suite provides three interlocking technologies that combine to defeat
traditional threats to IP based networks:
Authentication header (AH): Information stored in the authentication header ties data in
each packet to a verifiable signature, allowing communicating parties to verify both the
identity of the person sending the data and that the data has not been altered.
Encapsulating security payload (ESP): The ESP encrypts (scrambles) data (and even
certain sensitive IP addresses) in each packet using hard-core encryption to secure it
against eavesdropping during transit.
Page 14 of 31
Virtual Private Networks (VPN)
Internet key exchange (IKE): The IKE is a protocol negotiation and key exchange
protocol that allows communicating parties to negotiate methods of secure
communication. IKE allows users to agree on authentication methods, the keys to use,
and how long to use the keys before exchanging them.
Page 15 of 31
Virtual Private Networks (VPN)
APPENDIX VI: Point-To-Point Protocol (PPP)
(Information From Source In Works Cited #6)
POINT-TO-POINT PROTOCOL (PPP)
The Point-to-Point Protocol (PPP) is a set of standard protocols that allow remote access
software from different vendors to interoperate. A PPP-enabled connection can dial into remote
networks through any industry-standard PPP server. PPP also permits a computer running
Windows 2000 Server remote access to receive calls from, and provide network access to, other
vendors' remote access software that complies with the PPP standards.
The PPP standards also permit advanced features that are not available with older
standards such as SLIP. PPP supports several authentication methods, as well as data
compression and encryption. With most PPP implementations, you can automate the entire logon
sequence.
PPP also supports multiple LAN protocols. You can use TCP/IP, IPX, or NetBEUI as
your network protocol. PPP is the basis for the PPTP and L2TP protocols, which are used in
secure virtual private network connections.
Page 16 of 31
Virtual Private Networks (VPN)
APPENDIX VII: Layer Three Tunneling Protocol (L3TP)
(Information From Source In Works Cited #6)
LAYER THREE TUNNELING PROTOCOL (L3TP)
In the Open Systems Interconnection (OSI) communications model, the Network layer is
level three. It knows the address of the neighboring nodes in the network, packages output with
the correct network address information, selects routes and Quality Of Service (QoS)(Appendix XIV),
and recognizes and forwards to the Transport layer incoming messages for local host domains.
Among existing protocol that generally map to the OSI network layer are the Internet Protocol
(IP) part of TCP/IP and NetWare IPX/SPX. Both IP Version 4 and IP Version 6 (Ipv6) map to
the OSI network layer.
Page 17 of 31
Virtual Private Networks (VPN)
APPENDIX VIII: Extensible Authentication Protocol (EAP)
(Information From Source In Works Cited #13)
EXTENSIBLE AUTHENTICATION PROTOCOL (EAP)
Extensible Authentication Protocol (EAP) is an extension to the Point-to-Point Protocol
(PPP). EAP was developed in response to an increasing demand for remote access user
authentication that uses other security devices. EAP provides a standard mechanism for support
of additional authentication methods within PPP. By using EAP, support for a number of
authentication schemes may be added, including token cards, one-time passwords, public key
authentication using smart cards, certificates, and others. EAP, in conjunction with strong EAP
authentication methods, is a critical technology component for secure virtual private network
connections because it offers more security against brute-force or dictionary attacks and
password guessing than other authentication methods, such as CHAP.
Page 18 of 31
Virtual Private Networks (VPN)
APPENDIX IX: RSA RC4 Algorithm
(Information From Source In Works Cited #14)
RSA RC4 ALGORITHM
The RSA cryptosystem is a public-key cryptosystem that offers both encryption and
digital signatures (authentication). Ronald Rivest, Adi Shamir, and Leonard Adleman developed
the RSA system in 1977; RSA stands for the first letter in each of its inventors’ last names.
RC4 is a stream cipher designed by Rivest for RSA Data Security (now RSA Security).
It is a variable key-size stream cipher with byte-oriented operations. The algorithm is based on
the use of a random permutation.
Analysis shows that the period of the cipher is overwhelmingly likely to be greater than
10100. Eight to sixteen machine operations are required per output byte, and the cipher can be
expected to run very quickly in software. Independent analysts have scrutinized the algorithm
and it is considered secure.
RC4 is used for file encryption in products such as RSA SecurPC. It is also used for
secure communications, as in the encryption of traffic to and from secure web sites using the
SSL
protocol.
Page 19 of 31
Virtual Private Networks (VPN)
APPENDIX X: Microsoft Point-To-Point Encryption (MPPE)
(Information From Source In Works Cited #15)
MICROSOFT POINT-TO-POINT ENCRYPTION (MPPE)
Microsoft Point-to-Point Encryption (MPPE) encrypts data in PPP-based dial-up
connections or PPTP VPN connections. Strong (128-bit key) and standard (40-bit key) MPPE
encryption schemes are supported. MPPE provides data security between your PTTP connection
and the tunnel server. You can use the 40-bit version worldwide; it is built into every computer
running Windows 2000. The 128-bit level of encryption is available only in the United States
and Canada. You can enable the 128-bit version by installing a specific version of both client
and server software.
Page 20 of 31
Virtual Private Networks (VPN)
APPENDIX XI: Data Encryption Standard (DES)
(Information From Source In Works Cited #16)
DATA ENCRYPTION STANDARD (DES)
Data Encryption Standard (DES) is a widely-used method of data encryption using a
private (secret) key judged so difficult to break by the U.S. government that it was restricted for
exportation to other countries. There are 72,000,000,000,000,000 (72 quadrillion) or more
possible encryption keys that can be used. For each message, the key is chosen at random from
among this enormous number of keys. Like other private key cryptographic methods, both the
sender and the receiver must know and use the same private key.
It was developed in the 1970s by the National Bureau of Standards with the help of the
National Security Agency. Its purpose is to provide a standard method for protecting sensitive
commercial and unclassified data. IBM created the first draft of the algorithm, calling it
LUCIFER. DES officially became a federal standard in November of 1976.
Page 21 of 31
Virtual Private Networks (VPN)
APPENDIX XII: International Data Encryption Algorithm (IDEA)
(Information From Source In Works Cited #22)
INTERNATIONAL DATA ENCRYPTION ALGORITHM (IDEA)
IDEA (International Data Encryption Algorithm) is an encryption algorithm developed at
ETH in Zurich, Switzerland. It uses a block cipher with a 128-bit key, and is generally
considered to be very secure. It is considered among the best publicly known algorithms. In the
several years that it has been in use, no practical attacks on it have been published despite of a
number of attempts to find some. IDEA is patented in the United States and in most of the
European countries. The patent is held by Ascom-Tech. Non-commercial use of IDEA is free.
Page 22 of 31
Virtual Private Networks (VPN)
APPENDIX XIII: Skipjack Encryption Technology:
(Information From Source In Works Cited #17)
SKIPJACK ENCRYPTION TECHNOLOGY
SKIPJACK is a 64-bit “electronic codebook” algorithm that transforms a 64-bit input
block into a 64-bit output block. The transformation is parameterized by an 80-bit key, and
involves performing 32 steps or iterations of a complex, nonlinear function. The algorithm can
be used in any one of the four operating modes defined in FIPS 81 for use with the Data
Encryption Standard (DES).
The SKIPJACK algorithm was developed by NSA and is classified SECRET. It is
representative of a family of encryption algorithms developed in 1980 as part of the NSA suite of
“Type I” algorithms, suitable for protecting all levels of classified data. The specific algorithm,
SKIPJACK, is intended to be used with sensitive but unclassified information.
Page 23 of 31
Virtual Private Networks (VPN)
APPENDIX XIV: Quality Of Service (QoS)
(Information From Source In Works Cited #4)
QUALITY OF SERVICE (QOS)
Quality Of Service (QoS) has to do with the minimum requirements for data quality
across a network. These specifications must be planned for well in advance so that they can be
implemented into the system. Quality of service (QoS) generally encompasses bandwidth
allocation, prioritization, and control over network latency for network applications. QoS aims
to ensure that a company’s mission critical traffic has acceptable performance. There are three
QoS building blocks that make up a virtual private network. Those building blocks include
packet classification, bandwidth management, and congestion avoidance.
Packet classification groups packets based on predefined criteria so that the resulting
group of packets can then be subjected to specific packet treatments. The treatments might
include faster forwarding by intermediate routers and switches or lesser probability of the
packets being dropped due to lack of buffering resources.
Once traffic has been classified, the next step is to ensure that it receives special
treatment in the routers. This special treatment requires focus scheduling and queuing. In the
description that follows, a flow would be a group of packets which share a common criteria
whether that criteria is a source/destination IP address or TCP/UDP(Appendix XV) port number or a
protocol or a type of service (TOS) field. Two examples of bandwidth management
implementations include weighted fair queuing (WFQ) based upon class and weighted fair
queuing (WFQ) based upon flow. Class-based WFQ aims for providing weighted fair queuing
functionality among traffic classes defined by the user. A user could create traffic classes using
mechanisms like Access Control Lists (ACLs) and then assign a fraction of the output interface
bandwidth to each of these traffic classes. In flow-based WFQ, packets are classified by flow.
Each flow corresponds to a separate output queue. When a packet is assigned to a flow, it is
placed in the queue for that flow. During periods of congestion, WFQ allocates a portion of the
available bandwidth to each active queue. The primary difference between flow-based WFQ and
class-based WFQ is the fact that in flow-based WFQ bandwidth allocation is relative to other
flows. But in class-based WFQ bandwidth allocation is absolute. Class-based WFQ allows the
user to assign bandwidth to a class based upon a percentage of the available bandwidth or a fixed
kbps value.
Routers handle traffic in a variety of manners, the two most prevalent are traffic shaping
and traffic policing. Traffic shaping queues and forwards data streams (as opposed to dropping
excess traffic) so as to conform to agreed upon Service Level Agreements (SLAs) which have
been established with the service provider. Traffic policing, actually drops excess traffic and
requires re-transmission of data.
Congestion avoidance is defined as the ability to recognize and act upon congestion on
the output direction of an interface so as to reduce or minimize the effects of that congestion.
Congestion produces adverse affects in a VPN and should be avoided.
It should be noted that a company’s QoS requirements are important but should be considered
separate from the VPN solution, after all, the VPN will blindly encrypt or decrypt packets
regardless of their QoS requirements. In order to preserve their QoS requirements, a company
should consider a trusted network VPN.
Page 24 of 31
Virtual Private Networks (VPN)
APPENDIX XV: TCP/UDP
(Information From Source In Works Cited #6)
TCP/UDP
Transmission Control Protocol/Internet Protocol (TCP/IP) is an industry standard suite of
protocols providing communications in a heterogeneous environment. In addition, TCP/IP
provides a routable, enterprise networking protocol and access to the worldwide Internet and its
resources.
It has become the standard protocol used for interoperability among many different types
of computers. This interoperability is one of the primary advantages of TCP/IP. Almost all
networks support TCP/IP as a protocol. TCP/IP also supports routing, and is commonly used as
an internetworking protocol.
Because of its popularity, TCP/IP has become the de facto standard for internetworking.
Other protocols written specifically for the TCP/IP suite include:
 SMTP (simple mail transfer protocol) – E-mail
 FTP (File Transfer Protocol) – For exchanging files among computers running TCP/IP
 SNMP (simple network management protocol) – Network management
Historically, there were two primary disadvantages of TCP/IP: its size and speed.
TCP/IP is a relatively large protocol stack which can cause problems in MS-DOS-based clients.
However, on graphical user interface (GUI)-based operating systems, such as Windows NT or
Windows 95, the size is not an issue and speed is about the same as IPX.
User Datagram Protocol (UDP) is a connectionless protocol that, like TCP, runs on top of
IP networks. Unlike TCP/IP, UDP/IP provides very few error recovery services, offering instead
a direct way to send and receive datagrams over an IP network. It’s used primarily for
broadcasting messages over a network.
Page 25 of 31
Virtual Private Networks (VPN)
APPENDIX XVI: The OSI Model
(Information From Source In Works Cited #23)
THE OSI MODEL
In 1978, the International Standards Organization (ISO) released a set of specifications
that described a network architecture for connecting dissimilar devices. The original document
applied to systems that were open to each other because they could all use the same protocols
and standards to exchange information.
Note Every networking professional needs to be aware of the major standards organizations and
how their work affects network communications. A review of the ten organizations that define
standards for a different area of network activity is as follows:
American National Standards Institute (ANSI)
Common Open Software Environment (COSE)
Comité Consultatif Internationale de Télégraphie de Téléphonie (CCITT)
Corporation For Open Systems (COS)
Electronics Industries Association (EIA)
Institute Of Electrical And Electronics Engineers, Inc. (IEEE)
International Standards Organization (ISO)
Object Management Group (OMG)
Open Software Foundation (OSF)
SQL Access Group (SAG)
In 1984, the ISO released a revision of this model and called it the Open Systems
Interconnection (OSI) reference model. The 1984 revision has become an international standard
and serves as a guide for networking.
This model is the best-known and most widely used guide to describe networking
environments. Vendors design network products based on the specifications of the OSI model.
It provides a description of how network hardware and software work together in a layered
fashion to make communications possible. It also helps with troubleshooting by providing a
frame of reference that describes how components are supposed to function.
A LAYERED ARCHITECTURE
The OSI model is an architecture that divides network communication into seven layers.
Each layer covers different network activities, equipment or protocols.
7.
Application Layer
6.
Presentation Layer
5.
Session Layer
4.
Transport Layer
3.
Network Layer
2.
Data Link Layer
1.
Physical Layer
The above figure represents the layered architecture of the OSI model. Layering
specifies different functions and services at different levels. Each OSI layer has well-defined
Page 26 of 31
Virtual Private Networks (VPN)
networking functions, and the functions of each layer communicate and work with the functions
of the layers immediately above and below it. For example, the Session layer must communicate
and work with the Presentation and Transport layers.
The lowest layers – 1 and 2 – define the network’s physical media and related tasks, such
as putting data bits onto the network adapter cards and cable. The highest layers define how
applications access communication services. The higher the layer, the more complex its task.
Each layer provides some service or action that prepares the data for delivery over the
network to another computer. The layers are separated from each other by boundaries called
interfaces. All requests are passed from one layer, through the interface, to the next layer. Each
layer builds upon the standards and activities of the layer below it.
RELATIONSHIP OF OSI MODEL LAYERS
The purpose of each layer is to provide services to the next higher layer and shield the
upper layer from the details of how the services are actually implemented. The layers are set up
in such a way that each layer acts as if it is communicating with its associated layer on the other
computer. This is a logical or virtual communication between peer layers. In reality, actual
communication takes place between adjacent layers on one computer. At each layer there is
software that implements certain network functions according to a set of protocols.
Before data is passed from one layer to another it is broken down into packets. A packet
is a unit of information transmitted as a whole from one device to another on a network. The
network passes a packet from one software layer to another in the order of the layers. At each
layer the software adds some additional formatting or addressing to the packet, which it needs to
be successfully transmitted across the network.
At the receiving end, the packet passes through the layers in the reverse order. A
software utility at each layer reads the information on the packet, strips it away, and passes the
packet up to the next layer. When the packet finally gets passed up to the Application layer, the
addressing information has been stripped away and the packet is in its original form, which is
readable by the receiver.
Except for the lowest layer in the networking model, no layer can pass information
directly to its counterpart on another computer. Information on the sending computer must be
passed through all of the lower layers. The information then moves across the networking cable
to the receiving computer and up that computer’s networking layers until arriving at the same
level that the sent information on the computer that sent the information. For example, if the
Network layer sent information from computer A, it moves down through the Data Link and the
Physical layers on the sending side, over the cable, and up the Physical and Data Link layers on
the receiving side to its destination at the Network layer on computer B.
In a client/server environment, an example of the kind of information sent from the
Network layer on computer A to the Network layer on computer B would be a network address
and perhaps some error checking information added to the packet.
Interaction between adjacent layers occurs through an interface. The interface defines
which services the lower networking layer offers to the upper one and how those services will be
accessed. In addition, each layer on one computer acts as though it is communicating directly
with the same layer on another computer.
The following sections describe the purpose of each of the seven layers of the OSI model
and identify services that they provide to all adjacent layers.
Page 27 of 31
Virtual Private Networks (VPN)
Application Layer
Layer 7, the topmost layer of the OSI model, is the Application layer. It serves as the
window for application processes to access network services. This layer represents the services
that directly support user applications, such as software for the file transfers, for database access,
and for e-mail. The lower levels support these tasks performed at the application level. The
Application layer handles general network access, flow control, and error recovery.
Presentation Layer
Layer 6, the Presentation layer, determines the format used to exchange data among
networked computers. It can be called the network’s translator. At the sending computer, this
layer translates data from a format sent down from the Application layer into a commonly
recognized, intermediary format. At the receiving computer, this layer translates the
intermediary format into a format useful to that computer’s Application layer. The Presentation
layer is responsible for protocol conversion, translating the data, encrypting the data, changing or
converting the character set, and expanding graphics commands. The Presentation layer also
manages data compression to reduce the number of bits that need to be transmitted.
A utility known as the redirector operates at this layer. The purpose of the redirector is to
redirect input/output (I/O) operations to resources on a server.
Session Layer
Layer 5, the Session layer, allows two applications on different computers to establish,
and use, and end a connection called a session. This layer performs name recognition and the
functions, such as security, needed to allow two applications to communicate over the network.
The Session layer provides synchronization between user tasks by placing checkpoints in
the data stream. This way, if the network fails, only the data after the last checkpoint has to be
retransmitted. This layer also implements dialog control between communicating processes,
regulating which side transmits, when, for how long, and so on.
Transport Layer
Layer 4, the Transport layer, provides an additional connection level beneath the Session
layer. The Transport layer ensures that packets are delivered error free, in sequence, and with no
losses or duplications. This layer repackages messages, dividing long messages into several
packets and collecting small packets together in one package. This allows the packets to be
transmitted efficiently over the network. At the receiving end, the Transport layer unpacks the
messages, reassembles the original messages, and typically sends an acknowledgment of receipt.
The Transport layer provides flow control, error handling, and is involved in solving
problems concerned with the transmission and reception of packets.
Network Layer
Layer 3, the Network layer, is responsible for addressing messages and translating logical
addresses and names into physical addresses. This layer also determines the route from the
source to the destination computer. It determines which path the data should take based on
network conditions, priority of service, and other factors. It also manages traffic problems on the
network, such as packet switching, routing, and controlling the congestion of data.
Page 28 of 31
Virtual Private Networks (VPN)
If the network adapter on the router cannot transmit a data chunk as large as the source
computer sends, the Network layer on the router compensates by breaking the data into smaller
units. On the destination end, the Network layer reassembles the data.
Data Link Layer
Layer 2, the Data Link layer, sends data frames from the Network layer to the Physical
layer. On the receiving end, it packages raw bits from the Physical layer into data frames. A
data frame is an organized, logical structure in which data can be placed.
A simple data frame has several different aspects to be noted. The sender ID represents
the address of the computer that is sending the information; the destination ID represents the
address of the computer to which the information is being sent. The control information is used
for frame type, routing, and segmentation information. The data is the information itself. The
cyclical redundancy check (CRC) represents error correction and verification information to
ensure that the data frame is received properly.
The data link layer is responsible for providing the error-free transfer of these frames
from one computer to another through the Physical layer. This allows the Network layer to
assume virtually error-free transmission over the network connection.
Generally, when the Data Link layer sends a frame, it waits for an acknowledgment from
the recipient. The recipient Data Link layer detects any problems with the frame that may have
occurred during transmission. Frames that were not acknowledged, or frames that were damaged
during transmission, are resent.
Physical Layer
Layer 1, the bottommost layer of the OSI model, is the Physical layer. This layer
transmits the unstructured raw bit stream over a physical medium (such as the network cable).
The Physical layer relates the electrical, optical, mechanical, and functional interfaces to the
cable. The Physical layer also carries the signals that transmit data generated by all of the higher
layers.
This layer defines how the cable is attached to the network adapter card. For example, it
defines how many pins the connector has and each pin’s function. It also defines which
transmission technique will be used to send data over the network cable.
The Physical layer is responsible for transmitting bits (zeros and ones) from one
computer to another. The bits themselves have no defined meaning at this level. This layer
defines data encoding and bit synchronization, ensuring that when a transmitting host sends a 1
bit, it is received as a 1 bit, not a 0 bit. This layer also defines how long each bit lasts and how
each bit is translated into the appropriate electrical or optical impulse for the network cable.
Page 29 of 31
Virtual Private Networks (VPN)
WORKS CITED
1.) Adtran. “Understanding Virtual Private Networking”. Huntsville, AL 35814-4000. 2001.
http://www.adtran.com/all/public/
2.) Cisco Systems. “Access VPNs For The Enterprise”. San Jose, CA 95134. 2002.
http://www.cisco.com/warp/public/cc/so/neso/vpn/vpnsp/justify/avpnn_bc.htm
3.) Cisco Systems. “IPSec”. San Jose, CA 95134. 2000.
http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.htm
4.) Cisco Systems. “Quality Of Service For Virtual Private Networks”. San Jose, CA 95134.
2002.
http://www.cisco.com/warp/public/cc/so/neso/vpn/vpne/qsvpn_wp.htm
5.) Microsoft Corporation. “Point-To-Point Tunneling Protocol (PPTP) FAQ”. Redmond, WA
98052-6399. 2001.
http://www.microsoft.com/ntserver/productinfo/faqs/pptpfaq.asp?bPrint=True
6.) Microsoft Corporation. “Virtual Private Networking In Windows 2000: An Overview”.
Redmond, WA 98052-6399. 1999.
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/vpn
overview.asp
7.) SecGo. “Public Key Infrastructure (PKI): A SecGo Solutions White Paper”.
Kingdom. 2001.
http://www.secgo.com/
United
8.) VPNet Technologies. “What’s A VPN Anyway?”. San Jose, CA 95125. 1998.
http://www.vpnet.com
9.) VPN Consortium. “VPN Technologies: Definitions And Requirements”. Santa Cruz, CA
95060. 2002.
http://www.vpnc.org
10.) SearchNetworking.com “A Guide To Virtual Private Networking”. Mike Marney.
http://searchnetworking.techtarget.com/tip/1,289483,sid7_gci768367,00.html
11.) SearchNetworking.com “Internet Protocol”. 11/18/2002.
http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci214031,00.html
12.) SearchNetworking.com “IPX”. 11/18/2002.
http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci214038,00.html
13.) Microsoft.com “Extensible Authentication Protocol (EAP)”. 11/18/2002.
http://www.microsoft.com/windows2000/en/server/help/auth_eap.htm
Page 30 of 31
Virtual Private Networks (VPN)
14.) RSA Security. “What Is The RSA Cryptosystem”. 11/18/2002.
http://www.rsasecurity.com/rsalabs/faq/3-1-1.html
15.) Microsoft.com “Microsoft Point-To-Point Encryption (MPPE)”. 11/18/2002.
http://www.microsoft.com/windows2000/en/server/help/mppe.htm
16.) Lay Networks. “DES Explanation”. 11/18/2002.
http://www.laynetworks.com/users/webs/des.htm
17.) The Skipjack Encryption Algorithm Review. Various Authors. 11/18/2002.
http://www.totse.com/en/privacy/encryption/skipjack.html.
18.) Webopedia.com. “Frame”. 11/18/2002.
http://www.webopedia.com/TERM/f/frame.html
19.) Webopedia.com. “Packet”. 11/18/2002.
http://www.webopedia.com/TERM/P/Packet.html
20.) Microsoft Service Providers. “What Is IPSec Tunneling?” Jason Goodman. 11/18/2002.
http://www.microsoft.com/serviceproviders/columns/what_is_ipsec_tunneling_987.asp
21.) Alcatel Enterprise. “IPSec (IP Security).” An Alcatel Executive Briefing. 1/1/2002.
22.) John Savard. “IDEA (International Data Encryption Algorithm)”. 11/18/2002.
http://home.ecn.ab.ca/~jsavard/crypto/co0404.htm
23.) Microsoft Networking Essentials. “Hands On, Self-Paced Training for Supporting Local
and Wide Area Networks.” 1998.
Page 31 of 31