A VPN (Virtual Private Network) extends a private network across a public network, such as the Internet.
A VPN is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization’s network. A VPN ensures privacy through security procedures and tunneling protocols such as the Layer Two Tunneling Protocol (L2TP). Data is encrypted at the sending end and decrypted at the receiving end.
A VPN connection across the Internet is similar to a wide area network (WAN) link between websites. From a user perspective, the extended network resources are accessed in the same way as resources available within the private network. One major limitation of traditional VPNs is that they are point-to-point, and do not tend to support or connect broadcast domains. Therefore communication, software, and networking, which are based on layer 2 and broadcast packets, such as NetBIOS used in Windows networking, may not be fully supported or work exactly as they would on a real LAN. Variants on VPN, such as Virtual Private LAN Service (VPLS), and layer 2 tunneling protocols, are designed to overcome this limitation.
VPNs allow employees to securely access their company’s intranet while traveling outside the office. Similarly, VPNs securely connect geographically separated offices of an organization, creating one cohesive network. VPN technology is also used by individual Internet users to secure their wireless transactions, to circumvent geo restrictions and censorship, and to connect to proxy servers for the purpose of protecting personal identity and location.
A well-designed VPN can greatly benefit a company. For example, it can:
- Extend geographic connectivity.
- Reduce operational costs versus traditional WANs.
- Reduce transit times and traveling costs for remote users.
- Improve productivity.
- Simplify network topology.
- Provide global networking opportunities.
- Provide telecommuter support.
- Provide faster Return On Investment (ROI) than traditional WAN.
What features are needed in a well-designed VPN? It should incorporate these items:
- Network Management
- Policy Management
- Security mechanisms
To prevent disclosure of private information, VPNs typically allow only authenticated remote access and make use of encryption techniques.
VPNs provide security by the use of tunneling protocols and through security procedures such as encryption.
The VPN security model provides:
- Confidentiality such that even if the network traffic is sniffed at the packet level (see network sniffer and Deep packet inspection), an attacker would only see encrypted data.
- Sender authentication to prevent unauthorized users from accessing the VPN.
- Message integrity to detect any instances of tampering with transmitted messages.
Secure VPN protocols include the following:
- Internet Protocol Security (IPsec) as initially developed by the Internet Engineering Task Force (IETF) for IPv6, which was required in all standards-compliant implementations of IPv6 before RFC 6434 made it only a recommendation. This standards-based security protocol is also widely used with IPv4 and the Layer 2 Tunneling Protocol. Its design meets most security goals: authentication, integrity, and confidentiality. IPsec uses encryption, encapsulating an IP packet inside an IPsec packet. De-encapsulation happens at the end of the tunnel, where the original IP packet is decrypted and forwarded to its intended destination.
- Transport Layer Security (SSL/TLS) can tunnel an entire network’s traffic (as it does in the OpenVPN project and SoftEther VPN project) or secure an individual connection. A number of vendors provide remote-access VPN capabilities through SSL. An SSL VPN can connect from locations where IPsec runs into trouble with Network Address Translation and firewall rules.
- Datagram Transport Layer Security (DTLS): Used in Cisco AnyConnect VPN and in OpenConnect VPN to solve the issues SSL/TLS has with tunneling over UDP.
- Microsoft Point-to-Point Encryption (MPPE) works with the Point-to-Point Tunneling Protocol and in several compatible implementations on other platforms.
- Microsoft Secure Socket Tunneling Protocol (SSTP) tunnels Point-to-Point Protocol (PPP) or Layer 2 Tunneling Protocol traffic through an SSL 3.0 channel. (SSTP was introduced in Windows Server 2008 and in Windows Vista Service Pack 1.
- Multi Path Virtual Private Network (MPVPN). Ragula Systems Development Company owns the registered trademark “MPVPN”.
- Secure Shell (SSH) VPN: OpenSSH offers VPN tunneling (distinct from port forwarding) to secure remote connections to a network or to inter-network links. OpenSSH server provides a limited number of concurrent tunnels. The VPN feature itself does not support personal authentication.
Tunnel endpoints must be authenticated before secure VPN tunnels can be established. User-created remote-access VPNs may use passwords, biometrics, two-factor authentication or other cryptographic methods. Network-to-network tunnels often use passwords or digital certificates. They permanently store the key to allow the tunnel to establish automatically, without intervention from the user.
Types of VPN
Often abbreviated to S2SVPN. It’s a connection between two sites and encrypts all traffic between two (or multiple) subnets. There are two types of S2SVPN:
- Policy-Based: Interesting traffic triggers an ACL and is encrypted and sent to the remote VPN peer.
- Routed: Traffic is routed into an encrypted tunnel to the remote VPN peer.
A DMVPN (Dynamic Multipoint VPN) is not a protocol but more a technique using different protocols. One or more central hub routers are required, but the remote (spoke) routers can have dynamic IPs and more can be added without having to modify the configuration on the hub router(s), or any other spoke routers. The routers use a next-hop resolution protocol, combined with a dynamic routing protocol to discover remote peers and subnets. The VPN itself is a mGRE tunnel (GRE with multiple endpoints) which is encrypted. This way, traffic between spoke routers does not have to go through the hub router but can be sent directly from spoke to spoke.
A Client VPN is an encrypted connection from one device towards a VPN router. It makes that one remote device appear as a member of a local subnet behind the VPN router. Traffic is tunneled from the device (usually a computer or laptop of a teleworker) towards the VPN router so that user has access to resources inside the company. It requires client software that needs to be installed and configured.
This type of VPN works like a client VPN. The difference is that the remote client does not need preconfigured software, but instead the browser acts as VPN software. The browser needs to support active content, which every modern browser supports, either directly or through a plug-in. Traffic is tunneled over SSL (or TLS) to the SSLVPN router. From a networking perspective, traffic is tunneled over layer 4 instead of layer 3. The benefit is that the remote user does not need to configure anything and can simply log in to a web page to start the tunnel. The drawback that you’ll likely need a dedicated device as SSLVPN endpoint because this is not a standard feature.
For Secure VPNs
- General IPsec
- ESP and AH (encryption and authentication headers)
- Key Exchange (ISAKMP, IKE, and others)
- Cryptographic Algorithms
- IPsec Policy Handling
- Remote Access
- SSL and TLS
For Trusted VPNs
- General MPLS
- MPLS constrained by BGP routing
- Transport of layer 2 frames over MPLS
How VPNs Work?
When planning or extending a VPN, though, you should consider the following equipment:
- Network Access Server: As previously described, a NAS is responsible for setting up and maintaining each tunnel in a remote-access VPN.
- Firewall: A firewall provides a strong barrier between your private network and the Internet. IT staff can set firewalls to restrict what type of traffic can pass through from the Internet onto a LAN, and on what TCP and UDP ports. Even without a VPN, a LAN should include a firewall to help protect against malicious Internet traffic.
- AAA Server: The acronym stands for the server’s three responsibilities: authentication, authorization and accounting. For each VPN connection, the AAA server confirms who you are (authentication), identifies what you’re allowed to access over the connection (authorization) and tracks what you do while you’re logged in (accounting).
One widely used standard for AAA servers is Remote Authentication Dial-in User Service (RADIUS). Despite its name, RADIUS isn’t just for dial-up users. When a RADIUS server is part of a VPN, it handles authentication for all connections coming through through the VPN’s NAS.
VPN components can run alongside other software on a shared server, but this is not typical, and it could put the security and reliability of the VPN at risk. A small business that isn’t outsourcing its VPN services might deploy firewall and RADIUS software on generic servers. However, as a business’s VPN needs increase, so does its need for equipment that’s optimized for the VPN. The following are dedicated VPN devices a business can add to its network. You can purchase these devices from companies that produce network equipment, such as Cisco:
- VPN Concentrator: This device replaces an AAA server installed on a generic server. The hardware and software work together to establish VPN tunnels and handle large numbers of simultaneous connections.
- VPN-enabled/VPN-optimized Router: This is a typical router that delegates traffic on a network, but with the added feature of routing traffic using protocols specific to VPNs.
- VPN-enabled Firewall: This is a conventional firewall protecting traffic between networks, but with the added feature of managing traffic using protocols specific to VPNs.
- VPN Client: This is software running on a dedicated device that acts as the tunnel interface for multiple connections. This setup spares each computer from having to run its own VPN client software.
A well-designed VPN uses several methods in order to keep your connection and data secure.
This is perhaps the most important service provided by any VPN implementation. Since your private data travels over a public network, data confidentiality is vital and can be attained by encrypting the data. This is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode.
Most VPNs use one of these protocols to provide encryption.
Internet Protocol Security Protocol (IPsec) provides enhanced security features such as stronger encryption algorithms and more comprehensive authentication. IPsec has two encryption modes: tunnel and transport. Tunnel mode encrypts the header and the payload of each packet while transport mode only encrypts the payload. Only systems that are IPsec-compliant can take advantage of this protocol. Also, all devices must use a common key or certificate and must have very similar security policies set up.
For remote-access VPN users, some form of third-party software package provides the connection and encryption on the users PC. IPsec supports either 56-bit (single DES) or 168-bit (triple-DES) encryption.
PPTP was created by the PPTP Forum, a consortium which includes US Robotics, Microsoft, 3COM, Ascend, and ECI Telematics. PPTP supports multi-protocol VPNs, with 40-bit and 128-bit encryption using a protocol called Microsoft Point-to-Point Encryption (MPPE). It is important to note that PPTP by itself does not provide data encryption.
Commonly called L2TP over IPsec, this provides the security of the IPsec protocol over the tunneling of Layer 2 Tunneling Protocol (L2TP). L2TP is the product of a partnership between the members of the PPTP forum, Cisco, and the Internet Engineering Task Force (IETF). Primarily used for remote-access VPNs with Windows 2000 operating systems, since Windows 2000 provides a native IPsec and L2TP client. Internet Service Providers can also provide L2TP connections for dial-in users, and then encrypt that traffic with IPsec between their access-point and the remote office network server.
While it is important that your data is encrypted over a public network, it is just as important to verify that it has not been changed while in transit. For example, IPsec has a mechanism to ensure that the encrypted portion of the packet, or the entire header and data portion of the packet, has not been tampered with. If tampering is detected, the packet is dropped. Data integrity can also involve authenticating the remote peer.
Data Origin Authentication
It is extremely important to verify the identity of the source of the data that is sent. This is necessary to guard against a number of attacks that depend on spoofing the identity of the sender.
This is the ability to detect and reject replayed packets and helps prevent spoofing.
Data Tunneling/Traffic Flow Confidentiality
Tunneling is the process of encapsulating an entire packet within another packet and sending it over a network. Data tunneling is helpful in cases where it is desirable to hide the identity of the device originating the traffic. For example, a single device that uses IPsec encapsulates traffic that belongs to a number of hosts behind it and adds its own header on top of the existing packets. By encrypting the original packet and header (and routing the packet based on the additional layer 3 header added on top), the tunneling device effectively hides the actual source of the packet. Only the trusted peer is able to determine the true source, after it strips away the additional header and decrypts the original header. As noted in RFC 2401 leavingcisco.com, “…disclosure of the external characteristics of communication also can be a concern in some circumstances. Traffic flow confidentiality is the service that addresses this latter concern by concealing source and destination addresses, message length, or frequency of communication. In the IPsec context, using ESP in tunnel mode, especially at a security gateway, can provide some level of traffic flow confidentiality.”
All the encryption protocols listed here also use tunneling as a means to transfer the encrypted data across the public network. It is important to realize that tunneling, by itself, does not provide data security. The original packet is merely encapsulated inside another protocol and might still be visible with a packet-capture device if not encrypted. It is mentioned here, however, since it is an integral part of how VPNs function.
Tunneling requires three different protocols
- Passenger Protocol: The original data (IPX, NetBeui, IP) that is carried.
- Encapsulating Protocol: The protocol (GRE, IPsec, L2F, PPTP, L2TP) that is wrapped around the original data.
- Carrier Protocol: The protocol used by the network over which the information is traveling.
The original packet (Passenger protocol) is encapsulated inside the encapsulating protocol, which is then put inside the carrier protocol’s header (usually IP) for transmission over the public network. Note that the encapsulating protocol also quite often carries out the encryption of the data. Protocols such as IPX and NetBeui, which would normally not be transferred across the Internet, can safely and securely be transmitted.
For site-to-site VPNs, the encapsulating protocol is usually IPsec or Generic Routing Encapsulation (GRE). GRE includes information on what type of packet you are encapsulating and information about the connection between the client and server.
For remote-access VPNs, tunneling normally takes place using Point-to-Point Protocol (PPP). Part of the TCP/IP stack, PPP is the carrier for other IP protocols when communicating over the network between the host computer and a remote system. PPP tunneling will use one of PPTP, L2TP or Cisco’s Layer 2 Forwarding (L2F).
AAA (Authentication, Authorization and Accounting)
AAA (Authentication, Authorization and Accounting) is used for more secure access in a remote-access VPN environment. Without user authentication, anyone who sits at a laptop/PC with pre-configured VPN client software can establish a secure connection into the remote network. With user authentication however, a valid username and password also has to be entered before the connection is completed. Usernames and passwords can be stored on the VPN termination device itself, or on an external AAA server, which can provide authentication to numerous other databases such as Windows NT, Novell, LDAP, and so on.
When a request to establish a tunnel comes in from a dial-up client, the VPN device prompts for a username and password. This can then be authenticated locally or sent to the external AAA server, which checks:
- Who you are (Authentication)
- What you are allowed to do (Authorization)
- What you actually do (Accounting)
The Accounting information is especially useful for tracking client use for security auditing, billing or reporting purposes.
In certain data transfers, especially those related to financial transactions, nonrepudiation is a highly desirable feature. This is helpful in preventing situations where one end denies having taken part in a transaction. Much like a bank requires your signature before honoring your check, nonrepudiation works by attaching a digital signature to the sent message, thus precluding the possibility of sender denying participation in the transaction.
A number of protocols exist that can be used to build a VPN solution. All of these protocols provide some subset of the services listed in this document. The choice of a protocol depends on the desired set of services. For example, an organization might be comfortable with the data being transferred in clear text but extremely concerned about maintaining its integrity, while another organization might find maintaining data confidentiality absolutely essential. Their choice of protocols might thus be different.
Site to Site or Lan to Lan VPN
It provides secure IP communication over insecure network between two branches.
- IKE (Internet Key Exchange)
- ESP (Encapsulating Security Pay Load)
- AH (Authentication Header)
- Confidentiality: Data will keep as a secret using encryption. DES, 3DES, AES.
- Integrity: It means your data will not alter during transmission using Hash, Md-5, SHA.
- Data Origin Authentication: It means both devices will authenticate to each other using pre-shared key, Certificate.
- Anti-Replay: It means if your data will arrive late, it will consider as alter, and it will drop. Time & Volume.
IKE: IKE provides a frame work to exchange the security parameters and policies between two VPN peers.
|IKE Modes||IKE Phase|
|Main Mode Or Aggressive||Phase 1|
|Quick Mode Phase 2||Phase 2|
Main Mode: In main mode 6 attributes are divided in to three steps.
(Note: Proposal = security parameters and policies.)
- They will exchange proposal.
- They will exchange key.
- They will authenticate to each other.
- Initiator will send own proposal and secret to responder.
- Responder will authenticate it. And responder will send won proposal and secret to initiator.
- Initiator will authenticate the session.
Quick Mode: In quick mode they will re check their security parameters and policies.
In IKE Phase 1 they create single IKE bi directional tunnel
In IKE Phase 2 they create multiple IP sec unidirectional tunnel.
|Anti Replay||In Protocol No 50||In Protocol No 50|
IPSec modes (Protect L4 and Upper Layer)
- Transport Mode.
- Tunnel Mode (Protect L3 and Upper Layer) S to S, GET VPN.
ISAKMP: Internet Security Association Key Management Protocol.
IKE is a Management Protocol. It uses another Protocol for Key exchange. That is called ISAKMP. It use UDP port no 500.
Example VPN Configuration
PC1(config-if)#ip add 192.168.101.100 255.255.255.0
PC1(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.101.1
PC2(config-if)#ip add 192.168.102.100 255.255.255.0
PC2(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.102.1
R1(config-if)#ip add 192.168.101.1 255.255.255.0
R1(config-if)#ip add 188.8.131.52 255.255.255.0
R1(config-if)#ip route 0.0.0.0 0.0.0.0 184.108.40.206
R1#sh ip route static
ISP(config-if)#ip add 220.127.116.11 255.255.255.0
ISP(config)#ip add 18.104.22.168 255.255.255.0
R2(config-if)#ip add 192.168.102.1 255.255.255.0
R2(config-if)#ip add 22.214.171.124 255.255.255.0
R2(config-if)#ip route 0.0.0.0 0.0.0.0 126.96.36.199
R2#sh ip route static
R1(config)#crypto isakmp policy 1
R1(config)#crypto isakmp key mani add 188.8.131.52
R1(config)# crypto ipsec transform-set t-set esp-aes esp-shahmac
R1(config)#crypto ipsec security-association lifetime seconds 1800
R1(config)#access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255
R1(config)#crypto map test 10 ipsec-isakmp
R1(config-crypto-map)#set peer 184.108.40.206
R1(config-crypto-map)#set transform-set t-set
R1(config-crypto-map)#match address 101
R1(config-if)#crypto map test
R2(config)#crypto isakmp policy 1
R2(config)#crypto isakmp key mani add 220.127.116.11
R2(config)#crypto ipsec transform-set ttt esp-aes esp-sha-hmac
R2(config-crypto-trans)#mode tunnel 1
R2(config)#crypto ipsec security-association lifetime seconds 1800
R2(config)#access-list 102 permit ip 192.168.102.0 0.0.0.255 192.168.101.0 0.0.0.255
R2(config)#crypto map test 10 ipsec-isakmp
R2(config-crypto-map)#set peer 18.104.22.168
R2(config-crypto-map)#set transform-set ttt
R2(config-crypto-map)#match address 102
R2(config-if)#crypto map test
PC1#ping 192.168.102.100 repeat 300