VPN Page Topics

Scope Introduction Concept Behind VPN Implementation Technology Protocols Common Uses Cost of Ownership References Figures Figure 1. IP-enabled VPN

Networks and Workstations Links

Domain Name System (DNS) Internet Connection Support Network Design and Planning Network Installation and Configuration Troubleshooting Utilities Workstations Return to: Networks and Workstations Home Tech Support Home

Virtual Private Networks (VPN)

Scope

This white paper presents an overview of IP-enabled Virtual Private Networks (VPN). It will address the uses of IP-enabled VPNs between two offices or for a remote user connecting to the office. Readers should have a basic knowledge of Internet Protocol (IP), basic routing and Private IP-based numbering (RFC-1918).

Introduction

The Internet has evolved to an inexpensive, efficient form of doing business. The number of businesses that rely on the Internet to communicate with clients has increased and is still growing. Current techniques used for routing IP packets on the Internet leave it vulnerable to security attacks such as spoofing, sniffing and session hijacking. As companies move from expensive, dedicated, secure connections to cost effective use of the Internet, they require secure communications over what is generally described as an insecure Internet. VPNs can reduce the security risks and provide a more efficient use of Internet connections by reducing the number of dedicated leased lines.

VPN is a general term for virtual circuits used in networking. Frame Relay networks, ATM Virtual Paths-Virtual Circuits (VPI-VCI) and IP-based tunnels make up some common uses of VPN. This document will examine the uses of IP-enabled VPNs commonly referred to as IP tunneling (Figure 1). IP-based VPN provides IP tunneling between two network devices. Data sent between the two devices is encrypted, thus creating a secure network path over the existing IP network. If a packet is hijacked or captured from an encrypted IP tunnel, the data will be indecipherable without the correct decryption code.

Figure 1. IP-enabled VPN

Concept Behind a VPN

Prying eyes on the Internet may be viewing your data. Information like grades, payroll, and financial records or passwords can be captured or sniffed by someone outside your organization. IP Packets do not encrypt their payload so, once captured, passwords and other sensitive information can be viewed.

Firewalls are becoming a required networking component for preventing outsiders from entering a network. This means staff and employees can't access files and office resources from home. Fortunately, most firewall systems include a VPN solution that allows an authenticated user to securely pass through the firewall and access internal resources. The VPN component also encrypts the data between the user and the VPN server, securing the connection to the office LAN.

VPN Implementation

There are two common implementations for a VPN: Site-to-Site and Client-to-Site.

Site-to-Site VPN

Some office configurations require sharing information across multiple LANs. Initiating a secure VPN tunnel between two office gateway devices allows sites to share information across the LANs without fearing that outsiders could view the content of the data stream. This site-to-site VPN is a one-to-one VPN tunnel. Two servers or routers set up an encrypted IP tunnel to securely pass packets back and forth over the Internet. The VPN servers create a logical point-to-point connection over the Internet. Routing can be configured on each gateway device to allow packets to route over the VPN link or out the default network link.

Client-to-Site VPN

When a client requires access to a site's internal data from outside the network's LAN, the client needs to initiate a client-to-site VPN connection. This will secure a path to the site's LAN, allowing the client to access a private network address (see RFC 1918). The client-to-site VPN is a many-to-one VPN tunnel. One or more clients can initiate a secure VPN connection to the VPN server, thus securely accessing internal data from an insecure remote location. The client receives an IP address from the server and appears as a member on the server's LAN.

VPN Technology

VPNs provide several different technologies for securing your data stream: tunneling, encryption, identification and encapsulation.

VPN Encryption

All IP VPNs use some sort of encryption. The data is encrypted inside an envelope using a Private or Public Key. It is then encapsulated in an IP packet before being shipped out over the Internet.

The process functions like a private tunnel between two devices. Only the two VPN devices can decrypt or encrypt the data packet for delivery. User authentication or digital certificates are used to identify the communicating parties. The most common encryption methods use private (or secret) keys and public keys.

Private (Secret) Keys

Private key cryptography generates one key that will both encrypt and decrypt data. To enable decryption, the key must be securely delivered to the message recipient. Sending a private key over the Internet unencrypted is not recommended and hand delivery is time consuming.

Public Keys

With public key cryptography, both a public and a private key are generated using an algorithm. The public key is shared and can be sent over the Internet to receiving parties. The private key stays local. The public key can only encrypt the data while the private key can only decrypt the data. Since the public key cannot decrypt the data and the private key never leaves the station, only a recipient with the correct private key can decrypt the data.

Public Key vs. Private Key Encryption

Keep in mind, if configuring for time-sensitive data, the computation required for public key cryptography requires more CPU overhead than the private (secret) key shared cryptography. The length of the key can also play a part in the encryption/decryption time. With the shared private keys, if a key is compromised, both sending and receiving data can be decrypted. If a public key is compromised, only the data going one way can be decrypted.

User Identification

With this authentication process, a user is presented with a login prompt and required to enter a user name and password. Unless secure passwords are used and changed often, however, it may be possible for an unauthorized person to guess the user name and password and gain access.

Digital Certificates

Public Key Infrastructure (PKI) is a system for generating public and private keys in the form of a digital certificate. The PKI system is a complex set of technologies designed to manage the generation, revocation and issuance of digital certificates.

Tunneling

Tunneling is a way of creating a virtual path or point-to-point connection between two hosts on the Internet. Most VPN implementations use tunneling to create a private network path between two hosts. There are three common tunneling protocols:

• Alta Vista Tunnel
• Point-to-Point Tunneling Protocol (PPTP)
• Layer 2 Forwarding Protocol (L2F)

VPN Protocols

There are three widely used VPN protocols: Layer 2 Tunneling Protocol (L2TP ), Point-to-Point Tunneling Protocol (PPTP) and IPSec. The PPTP and L2TP protocols use Challenge Handshake Authentication Protocol (CHAP) and include the option for encryption. PPTP and L2TP use a weaker form of encryption then the IPSec protocol. IPSec is still maturing and does not interoperate completely between vendors. PPTP and L2TP clients are provided free with Microsoft operating systems and are easy to deploy and use. PPTP and L2TP are useful for small networks and businesses that use multiple protocols on their LAN. IPSec is good for site-to-site connections where the operating systems are the same. Client-to-server IPSec deployment can be used, provided the network is IP only and comprised of same-vendor solutions.

IPSec

IPSec was developed by the Internet Engineering Task Force (IETF). Its purpose is to ensure data encryption and data integrity. It wraps a packet in an IP header, encrypts the complete IP packet and sends it over the Internet, creating a secure IP tunnel. IPSec was developed for site-to-site data integrity and content security. It uses 168-bit Triple-DES encryption and key management with support for X.509 certificates. This is a stronger form of encryption then the 128-bit RC4 encryption that PPTP uses. "IPSec interoperability is not clearly defined. Some vendors have decided to run their own program." (Microsoft Article ID: Q265112) To connect using IPSec security, clients must have vendor-specific software installed on their systems.

Point to Point Tunneling Protocol (PPTP)

Used by Microsoft for NT4.0 and Windows 95+ clients, this tunneling protocol is used to encrypt LAN traffic like NetBEUI and IPX in an IP packet sent over the Internet. PPTP is based on the RSA RC4 standard and supports 40-bit or 128-bit encryption. It was not developed for LAN-to-LAN tunneling and has other limitations such as 255 connections to a server and only one VPN tunnel per client connection. It doesn't provide heavy-duty encryption, but it is easy to set up and is a viable remote-access solution for a Microsoft only network. Windows 2000 includes the successor to this protocol, Layer 2 Tunneling Protocol, along with IPSec.

Layer 2 Tunneling Protocol (L2TP)

The best feature of PPP (Point-to-Point Protocol) was combined with Cisco's L2F (Layer 2 Forwarding) protocol to create L2TP. Useful for dialup, ADSL and other remote access, this protocol extends the use of PPP to enable VPN access by remote users.

Socks5

Socks version 5 is a circuit-level proxy protocol. This means the service looks at the source and destination port of the packet being passed and does not care what application is being passed through these ports. It is similar to a pass-through service. A packet that comes in on port 80 can go out port 80, whether it is http or some other application.

Common Uses

Common uses for VPN include providing remote users a secure connection to internal documents on a corporate LAN or allowing users to access resources behind a corporate firewall.

Branch offices can use VPNs over existing Internet Wide Area Network (WAN) connections, thus providing a secure connection for remote offices. This eliminates costly dedicated connections and reduces WAN costs.

Cost of Ownership

VPN can reduce wide area networking costs by eliminating the need for private dedicated connections. Implementing a VPN will have about the same impact on your organization and cost as administering a WAN link. Issues like training users, general maintenance, security, and everyday network failure issues are estimated at 5-10 hours a month. (Virtual Private Networks, O'Reilly, page 45)

References

Marcottie, Greg. "Protocols Serve Up VPN Security," Network World. May 31, 1999.
    URL: http://www.nwfusion.com/news/tech/0531tech.html

"IPSec and L2TP Implementation in Windows 2000 and Windows XP," Microsoft KB-ID #Q265112. Oct. 4, 2001.
    URL: http://support.microsoft.com/support/kb/articles/q265/1/12.asp?id=Q265112

"Point-Point Tunneling Protocol (PPTP) FAQ." Microsoft. June 27, 2001.
    URL: http://www.microsoft.com/ntserver/ProductInfo/faqs/PPTPfaq.asp

"PKI, Providing an Enhanced VPN Security Solution." Baltimore Technologies, Learning Center.
    URL: http://www.baltimore.com/library/whitepapers/mn_vpn_white_paper.html (No longer available)

"PPTP Security Issues." Efficient Networks, Inc. 2000.
    URL: http://www.nts.com/library/vpndefense.html

RFC 2406 IP Encapsulating Security Payload (ESP).

RFC 1918 Address Allocation for Private Internets.

RFC 2661 Layer Two Tunneling Protocol

Back to Top