Networking
BMA 373
February 18, 2002
A Virtual Private
Network (VPN) is essentially a networking system that allows a private network
to be accessed over a shared or publicly used network, such as the
Internet. This networking solution is
used by many companies, both large and small.
VPN ensures security by sending its data packets through “tunnels”. It can be implemented and maintained by the
company that purchased it, or it is available through outsourcing, where
another provider will install and monitor the network. VPN is cost efficient and using it will be
able to pay for itself and then some.
According
to the Microsoft Corp., “a virtual private network (VPN) is the extension of a
private network that encompasses links across shared or public networks like
the Internet,” (1). This networking
capability allows remote clients the ability to connect to their company’s
private network through a public internetwork, most likely the Internet. Companies can also use VPN to connect to
branch offices or other companies. The
name virtual private network is derived from when the users connect to the
network over the Internet, it virtually appears to them that they are on a private
network, when in reality they are using the public Internet (1).
Before
VPN was established, many companies had to connect their mobile and remote
users by using a remote access server (RAS) and having them dial up through a
long distance number, or by an 800-number.
The costs involved with implementing and maintaining a RAS were costly
and the long distance phone charges were even more an inconvenience. Nowadays, with VPN, “remote users can
establish dial-up connections to local ISPs and connect, via the Internet, to a
VPN server at headquarters,” (ADTRAN 15).
To connect remote sites to the headquarters over the Internet, there are
two methods to be used: using dedicated lines or using dial-up lines. For using a dedicated line, both the remote
site and the corporate hub routers can use a local dedicated circuit and a
local ISP to connect to the Internet.
From there, the VPN software uses the ISP connections to create a
virtual private network between the two sites.
For using a dial-up line to connect the offices, the remote site will
call up their local ISP to connect to the Internet, and then the VPN software
will create a VPN between the remote site’s router and the corporate hub’s
router (3).
The
essential part to a virtual private network, that makes is “virtually private”
is a tunnel. A tunnel is the logical
path that encapsulated packets travel through the internetwork. Data that is transferred through a network
is known as a payload. These payloads
are sent through the network in frames or packets. When a VPN sends the data through, the tunneling protocol
encapsulates the packet in an additional header that will provide routing
information to where the packet is to go.
When a packet reaches its destination on the internetwork, the packet is
then decapsulated and forwarded to its final destination. The whole tunneling process includes the
encapsulation, transmission, and decapsulation of the packets (Microsoft
6). The tunneling process sounds like it
describes a fixed path for the data, but like other Internet traffic, the “VPN
tunnel packets may take different paths between the two endpoints” (ADTRAN
4). In, this tunnel, only the
recipients at the other endpoint will be able to decrypt the message that a
person has sent, giving this idea a sort of a “tunnel vision”.
In
order for a tunnel to be established, the tunnel client and the tunnel server
must be using the same tunneling protocol.
The tunneling technology involved with VPN is based on either a Layer 2
or a Layer 3 tunneling protocol. A
Layer 2 protocol, such as Point-to-Point Tunneling Protocol (PPTP) and Layer
Two Tunneling Protocol (L2TP), will encapsulate the payload in a Point-to-Point
Protocol (PPP) frame to be sent across the internetwork. A Layer 3 protocol, such as Internet
Protocol Security (IPSec), will encapsulate the Internet Protocol (IP) packets
in an extra IP header before sending it across the IP internetwork. With Layer 2 tunneling technologies, the
tunnel is similar to a session, where both endpoints must agree to a tunnel and
they must negotiate the configuration variables. These variables include address assignments, encryption, or
compression parameters. Then, there
will be three phases where the tunnel will have to be created, maintained, and
then terminated. With a Layer 3
tunneling technology, it is assumed that all of the configuration concerns are
already compiled, so it is possible that the maintenance phase of the tunnel
will not even be needed (Microsoft 7).
The features of these protocols are based heavily of the Point-to-Point
Protocol (PPP).
The Point-to-Point Protocol,
according to Microsoft, “was designed to send data across dial-up or dedicated
point-to-point connections,” (9).
Before the PPP connection is ready to transfer user data, there are four
phases that must be completed successfully first. Phase 1 is the PPP link establishment where a Link Control
Protocol (LCP) is used and the basic communication options are selected. Also, during this phase, it is negotiated
whether to use compression and/or encryption when sending the data. The actual choosing of this option is not
until phase 4. In phase 2, the
authentication of the client user is performed (9). The network access server (NAS) will validate the user data with
its own database to ensure authentication.
Phase 3 of the PPP is an optional Microsoft implementation that uses the
Callback Control Protocol (CBCP) to ensure an additional level of
security. If this protocol is
configured, the remote client and the NAS will disconnect after authentication,
then the NAS will call the remote client back using a particular phone
number. The fourth and final phase of
PPP is the invoking of the network control protocols (NCPs). These protocols, such as using data
encryption and compression, were what was negotiated during phase 1, and will
now be implemented. After these four
negotiation phases have been completed, the PPP will begin to forward data to
and from the two endpoints (11).
One
of the Layer 2 tunneling protocols is known as Point-to-Point Tunneling
Protocol (PPTP). This protocol
“encapsulates PPP frames in IP diagrams for transmission over an IP
internetwork, such as the Internet,” (Microsoft 12). A TCP connection is used for tunnel maintenance and a modified
version of the Generic Routing Encapsulation (GRE) is used to encapsulate PPP
frames for the payload. These payloads
can then be encrypted and/or compressed (12).
The encryption of this data is based on the Rivest-Shamir-Aldeman (RSA)
RC-4 encryption algorithm that uses 40, 56, or 128-bit encryption keys (13). PPTP can be used on computers running
Windows XP, Windows 2000, Windows NT version 4.0, Windows Millennium Edition
(ME), Windows 98, and Windows 95 with Dial-Up Networking (14).
The
second Layer 2 tunneling protocol is known just as that, Layer Two Tunneling
Protocol (L2TP). This protocol is a
combination of the best features of both PPTP and Layer 2 Forwarding (L2F),
which was developed by Cisco Systems, Inc.
L2TP can be used over the Internet when IP is configured as its datagram
transport. It will “encapsulate PPP
frames to be sent over IP, X.25, Frame Relay, or Asynchronous Transfer Mode
(ATM) networks,” (Microsoft 12). When
used over IP internetworks, it uses a User Datagram Protocol (UDP) and a chain
of L2TP messages for maintenance on the tunnel. A UDP header is also attached to the payload that is being
sent. These payloads can also be
encrypted and/or compressed for transmission (12). This type of connection will also use the Data Encryption
Standard (DES), which will use either a 56-bit key for DES or three 56-bit keys
for 3-DES. “L2TP connections provide
stronger authentication by requiring both computer-level authentication through
certificates and user-level authentication through a PPP authentication
protocol,” (14). L2TP can only be used
on computers with Windows XP and Windows 2000 VPN clients (14).
Internet
Protocol Security (IPSec) tunnel mode “is a Layer 3 protocol standard that
supports the secured transfer of information across an IP internetwork,”
(Microsoft 14). As the Internet
standard protocol, it addresses basic usage issues such as access control,
connection integrity, data origin authentication, replay protection (prevention
from resending a series of packets), and traffic flow confidentiality. This protocol uses two operational modes:
Transport mode and Tunnel mode.
Transport mode protects everything in the packet behind and not
including the IP header. Tunnel mode
protects everything behind and including the IP header, which then requires a
new pseudo IP header (ADTRAN 10). This
tunnel mode uses the negotiated security method to encapsulate & encrypt
the entire IP packet for transfer (Microsoft 14). The encrypted payload is encapsulated again and has a plain-text
IP header attached before sent onto the internetwork for transport to the
tunnel server. The tunnel server will
then receive the payload, discard the plain-text IP header, and decrypt the
data to get the original payload IP packet.
This packet is then routed as normal to its destination on the network
(15). As in L2TP, IPSec can only be
used on computers with Windows XP or Windows 2000 VPN clients (14).
When
a virtual private network is established, an extremely important issue is that
of security. Since a VPN is used
through an internetwork, such as the Internet, it is important to have the
security features of a firewall in place.
“A firewall prevents unauthorized users and/or data from getting in or
out of your network, using rules to specify acceptable communications from
locations, individuals, or in certain protocols,” (ADTRAN 4). Encryption is another key technique for
ensuring data and user security.
Encryption is the scrambling and unscrambling of data that is to be sent
out. When data is scrambled, it is
called cipher-text and when data is unscrambled, it is called clear-text. When encryption is chosen as an option when
sending through a VPN, the sending location encrypts the information, sends it
through the tunnel, and the destination location will decrypt the information
into clean-text. The Data Encryption
Standard (DES) is a well-known encryption algorithm that is uses 56-bit
symmetric keys to encrypt the data.
There is also a 3-DES system that will encrypt the data, decrypt it, and
then encrypt it again (EDE), which increases the key length to 168 bits (5).
Keys
are another important factor in the struggle for security of users and data
within a VPN. “A key is the secret code
that the encryption algorithm uses to create a unique version of cipher-text,”
(ADTRAN 6). The strength of keys
depends on the length of the keys, such as 8-bit or 16-bit. For example, 8-bit keys have 256
combinations possible, 16-bits have 65,536 combinations, 56-bit keys have
72,057,594,037,927,900 possible combinations.
Since it could be simple for intruders to use computers to crack a
16-bit code, many VPN products today are using 168-bit keys, which creates
374,144,419,156,711,000,000,000,000,000,000,000,000,000,000,000,000 possible
combinations. Another good idea when
keys are created is to establish a policy where you periodically change the
keys, therefore making it even more difficult to be cracked (6). There are usually two types of keys that can
be used: symmetrical and asymmetrical.
Symmetrical keys, also known as private keys, are used on both ends of
the tunnel to both encrypt and decrypt the information (7). Asymmetrical key encryption consists of two
keys, a private key and a public key.
The private key is used by the sender to decrypt the information, and
then public key is used by anyone to decrypt the received information. To secure the reliability of the public key,
many times they are published with a certificate. “A certificate...is a data structure that is digitally signed by
a certification authority (CA) – an authority that users of the certificate can
trust,” (Microsoft 17). Essentially,
these public key certificates will ensure the validity of the sender (18). To create, distribute, and track digital certificates
on a per-user basis, it is also not a bad idea for larger companies to
implement a Public Key Infrastructure (PKI).
This will be useful in large companies needing to extend secure, limited
network access to their external users (ADTRAN 8).
When
a company decides to implement a virtual private network system, they typically
have two choices, doing it themselves, or buying VPN services from an outside
provider (known as outsourcing). “When
implementing your own VPN, there are four basic areas to consider: the Internet
service itself, a security policy server, a PKI system, and a VPN gateway
solution,” (ADTRAN 17). Some of the
products that may be needed would be adding encryption support to a router to
keep VPN upgrade costs low, adding a firewall, using Internet security device
packages with firewall and other network services included, and the VPN
software itself. Adding up all of the
costs of these products without the software can cost a company anywhere from
$2,000 to $39,000. For the VPN
software, it can cost from $21 per seat, up to $2,500 per server. Outsourced VPN is a relatively new option
for companies and ISP & VPN providers will be able to setup and maintain
the VPN service. Prices for outsourcing
can vary dramatically from company to company; it just depends on what types of
services are needed. Implementing a VPN
may sound like a big investment, but with the savings from long-distance
charges alone will pay for the setup costs within a few months and the savings
will continue far after (15).
In
conclusion, virtual private networking is a networking solution that will allow
companies to connect with their remote users or other companies. Its primary usage is through the Internet
and it has ensured security by sending information through “tunnels”. A VPN can be implemented and maintained by
the company that purchased it, or it is available through outsourcing. The costs for implementing this system may
seem high, especially for a small company, but its benefits greatly surpass the
cost and it will provide a technological system that will be a convenient solution
for remote users and companies.
References
ADTRAN,
Inc. “Understanding Virtual Private
Networking”. 2001. Internet.
Accessed: 4 Feb 2002.
Available: http://www.adtran.com/all/Public/Lookup/Document?id=en286a
Microsoft Corporation. “Virtual Private Networking in Windows
2000: An Overview”. 1999.
Internet. Accessed: 7 Feb 2002.
Available: http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/vpnoverview.asp