Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Goal of VPN - Communications

Virtual Private Networks
© J. Liebeherr, All rights reserved
1
Goal of VPN
• The goal of a Virtual Private Network (VPN) is to provide private
communications within the public Internet Infrastructure
• VPNs apply various networking technologies to achieve the goal
• The basic concepts:
– Build a virtual overlay network that is run on top of the infrastructure of
the Internet
– “Virtual” means that there is not new infrastructure
– Connect private networks by the overlay networks
© J. Liebeherr, All rights reserved
10/22/05
2
Why is there a need for VPN?
• Internet has insufficient security mechanisms
– IP packets are not authenticated or encrypted
– Users with access to network can read content of IP traffic
• Application layer solutions not always suitable
– Secure Web access, secure mail clients, secure file
transfer, and secure terminal applications are only point-topoint solutions and assume client/server relationship
– Application-layer solutions require that each application is
protected in isolation  Does not secure networks
© J. Liebeherr, All rights reserved
10/22/05
3
VPN Overlay Network
Private Intranet
VPN
Router
n
tun
P
I
in
IP-
Private
Intranet
VPN Router
el
IPi
n-I
Pt
un
Public Internet
ne
l
Private
Intranet
VPN
Router
IP-in-IP tunnel
VPN Router
© J. Liebeherr, All rights reserved
10/22/05
4
Tunneling
• VPN routers connect via IP tunnels
• With tunneling, IP packets are encapsulated by another IP
header (IP-in-IP encapsulation)
Payload
of IPv4 header
IP
header
IP
header
Payload
VPN Router
IP
header
Payload
© J. Liebeherr, All rights reserved
IP
header
Payload
of IPv4 header
IP
header
Payload
Router
in Public Internet
IP-in-IP Tunnel
10/22/05
IP
header
Payload
IP
header
Payload
VPN Router
IP
header
Payload
5
VPN Security
• VPNs use many security mechanisms
– Authentication: Identify VPN users and devices
– Access control: Ensure authorized use of VPN resources
– Data security: Use cryptography to obscure content
transmitted over VPN
© J. Liebeherr, All rights reserved
10/22/05
6
Components of a VPN Solution
VPN Gateway:
• Located at the corporate network
perimeter, the gateway performs
tunneling, authentication, access
control, and data security.
• Sometimes, VPN gateway
functions can be integrated in to a
router or firewall
VPN Client:
• Software used for remote VPN
access
• Creates a secure path from a
remote client computer to
a VPN gateway
© J. Liebeherr, All rights reserved
Private
Network
Private
Network
10/22/05
VPN Gateway
VPN Gateway
Public
Network
Public
Network
7
VPN Architectures
•
VPN architectures can be separated into three scenarios:
1. Site-to-Site Intranet VPN:
– Multiple network sites at different locations within the
same organization are connected using a VPN to form a
larger corporate network
2. Remote Access VPN:
– Connect a single remote device to a corporate
intranetwork
3. Extranet VPN:
– Network resources within a corporate nework are oppend
for access for dedicated purposes
© J. Liebeherr, All rights reserved
10/22/05
8
Site-to-Site Intranet VPN
• VPN tunnels establish secure communication links
Intranet
tu
n
ne
l
VPN Gateway
V
P
N
VP
Public Internet
Intranet
VPN
Gateway
© J. Liebeherr, All rights reserved
VPN tunnel
10/22/05
N
tun
ne
l
Intranet
VPN
Gateway
9
Remote Access VPN
• Also called: Virtual Private Dial Network (VPDN)
© J. Liebeherr, All rights reserved
10/22/05
10
Extranet VPN
Cable
Modem
VP
Intranet
Nt
un
ne
Customer
Access
l
Public Internet
Partner
network
VPN tunnel
VPN
Gateway
Partner
Access
VPN
Gateway
© J. Liebeherr, All rights reserved
10/22/05
11
VPN Tunneling Protocols
•
Role of VPN tunnels:
1. Encapsulation of messages
2. Privately address packets through public infrastructure
3. Provide data integrity and confidentiality
–
Layer-2 tunneling protocols carry Point-to-Point (PPP) frames
through IP networks
–
PPP:
–
–
–
flag
PPP is used to send IP packets
over serial connections
Used extensively for point-to-point
data links (dial-in)
Can provide authentication
© J. Liebeherr, All rights reserved
addr ctrl protocol
7E
FF
03
1
1
1
10/22/05
data
CRC
flag
7E
2
<= 1500
0021
IP datagram
2
1
PPP frame
12
Layer-2 Tunneling Protocol
• Developed to facilitate PPP access by remote computers to a private
network over an IP-based network
Remote Dial-in:
•
•
Remote Access Service (RAS)
provides banks of phone lines
for connecting remote users
Remote system calls up and
establishes PPP connection to
RAS service
Intranet
Telephone
Network
RAS Server
PPP Connection
With Layer-2 tunneling:
•
•
•
Approach: Tunnel PPP packets
through Internet
Access concentrator (possibly inside
the remote system) encapsulates
PPP frames
Network server terminates VPN
tunnel
Intranet
Internet
Network
Server
Access
Concentrator
Tunnel
PPP Connection
© J. Liebeherr, All rights reserved
10/22/05
13
Layer-2 Tunneling Protocols
Point-to-Point Tunneling Protocol (PPTP):
–
–
–
Developed by Microsoft, 3Com, US Robotics, and others
Goal: Provide VPN between remote access users and network servers
Approach: Tunneling on client systems
Layer-2 Forwarding Protocol (L2F):
–
–
–
Developed by Cisco, Nortel and others
Virtual dial-up protocol for managed networks
Approach: Tunneling is performed as a network service (not by client)
Layer-2 Tunneling Protocol (L2TP):
–
–
Developed within the IETF
Combines concepts of PPTP and L2F
© J. Liebeherr, All rights reserved
10/22/05
14
Remote Dial-in Layer-2 Tunneling Protocol
Intranet
Internet
Network
Server
ISP Network
Server
PPP
PPTP Control channel
PPTP Tunnel
PPP
IP
Assumes the Layer-2 tunneling protocol PPTP:
• User does remote dial-in to ISP and establishes PPP connection
• Establish a (TCP) connection to set up a control channel
• Establish a PPTP tunnel
• Establish PPP tunnel that sends PPP frames over the PPTP tunnel
• IP packets are carried in PPP frames
© J. Liebeherr, All rights reserved
10/22/05
15
Encapsulation at remote client
Intranet
Internet
Network
Server
ISP Network
Server
PPP
PPTP Control channel
PPTP Tunnel
PPP
IP
IP header
Payload
Original IP packet
PPP IP header
Payload
PPP encapsulation to remote Network Server
GRE header PPP IP header
Payload
GRE header is used by PPTP
IP header GRE header PPP IP header
Payload
IP header for public Internet
PPP IP header GRE header PPP IP header
Payload
PPP encapsulation to ISP Network Server
© J. Liebeherr, All rights reserved
10/22/05
16
Other VPN approaches
IPSec:
–
–
–
–
–
Protocol suite for secure communications at Layer-3
Consists of security headers and a set of protocols
Originally designed for IPv6
Performs services for authentication, integrity, confidentifality
Can perform tunneling of IP datagrams
MPLS:
– LSPs can provide data link connections between remote networks
– Builds on isolation of LSPs in the MPLS networkConsists of security headers
and a set of protocols
SSH/PPP:
– Secure Shell (SSH) is a provides secure access to remote hosts.
– Assumes client/server relationship
– Intended as a replacement for insecure protocols such as Telnet, rsh, etc.
– VPN services can be built by creating a PPP connection within a SSH
connection
© J. Liebeherr, All rights reserved
10/22/05
17
Related documents
Peplink SpeedFusion
Peplink SpeedFusion
3.3d - mr-damon.com
3.3d - mr-damon.com
CSUN CECS Information Systems JD1112 x3919 Page 2
CSUN CECS Information Systems JD1112 x3919 Page 2
Establishment of the VPN connection with the
Establishment of the VPN connection with the
51858-PPTP_VPN_RV - Cisco Support Community
51858-PPTP_VPN_RV - Cisco Support Community
Download