Virtual Private Network (VPN) Computer Networks

Question: Discuss about the Report for Virtual Private Network (VPN) of Computer Networks. Answer: Introduction A virtual private network (VPN) is an expansion of the corporate network linking the companies and remote employees at different geographical areas through public networks like internet so that secure network connection establishes [1]. The term virtual is used in the sense that the physical network is not held by the individual user of the network but it is the public network. The term private is used to indicate the privacy of the traffic flow over VPN. This report discusses the implementation of two types of VPN Multiple business sites and Tele worker. The functionalities, security features, advantages, disadvantages, applications, extension of the network are discussed. Virtual Private Network (VPN) and types For expansion of the companys computer network, beyond its local geographical area, Wide Area Network (WAN) can be used. WAN uses leased lines like ISDN and Optical carrier to provide network coverage [13, 14]. The major advantages of WAN over Internet are performance, security and reliability. But the drawbacks of WAN are that the installation and maintenance of WAN is expensive, particularly if the distance between the remote offices increases. Hence, now-a-days companies build their own Virtual Private Network (VPN) which is a easy solution to the installation and maintenance cost. In VPN, secured virtual connections between remote users are routed through the Internet via the companys private network instead of dedicated leased lines. The major advantages of VPN are reduced operational costs, improved security, scalability, reliability and simplified network topology. Figure 1 illustrates the structure of Virtual Private Network. There are two types of VPN Remote Access VPN and Site-to-Site VPN Figure 1 Illustration of Virtual Private Network Site-to-Site VPN with GRE Tunnels Implementation (without IPsec protection) Companies located at different sites are connected through Site-to-Site VPN over Internet. It is of two types Intranet VPN and Extranet VPN. Intranet VPN permits connections between LAN to LAN to connect the same company located at remote locations. Extranet VPN permits connections between LAN to LAN to connect a company with another company which is in close association, like partners so that a collaborative environment exists [15]. Figure 2 shows the network diagram of site-to-site VPN connection. Figure 2 - Network Diagram of Site to Site VPN connection The VPNs use the mechanism of tunneling for transmission in the network. An entire packet is placed within another packet and sent over the network. The interfaces where the packet enters and leaves the network are called tunnel interfaces. Three protocols are used in tunneling. Carrier Protocol is used by the network Encapsulating Protocol which is used to cover the original data Passenger Protocol used to represent the original data In Site-to-Site VPN, Generic Routing Encapsulation (GRE) is the protocol generally used for encapsulation. Generic Route Encapsulation (GRE) encapsulates the packets with a GRE header and the packets travel inside a GRE tunnel. They are not encrypted by GRE. The Point-to-Point (PPP) protocols at layer 2 used in remote access VPNs for tunneling are Layer 2 Forwarding (L2F), Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP). Security Features Firewall acts as a barrier between the secured internal network and the public Internet which is not trusted [4]. The type of packets to be passed through the network, the number of open ports and the protocols to be allowed are restricted by the firewall. VPNs provide secured connection between two remotely located sites. A combination of firewalls and VPN establishes both trust and privacy between the two sites. Authentication, Authorization and Accounting (AAA) servers provide secured connection for Remote Access VPN [9]. Authentication checks for the valid user, Authorization checks for the granting of services which may be restricted, and Accounting checks for the consumption of network resources for billing, planning etc., Advantages Low cost of VPN with no use of leased lines. Scalability that means adaptability if the organization grows. Disadvantages Security Issues arise since the data packets are not protected by GRE. Different vendors use different VPN technologies and they may not be compatible. Applications Suited for organizations which have geographically separated offices and virtual connections established in the network with less attention to security issues. Site-to-Site VPN with GRE Tunnels using IPsec ESP Implementation IPSec, which is layer 3 protocol, is suited for both remote-access and site-to-site VPNs. If the data packets encapsulated by GRE are to be protected, IPSec must be configured. Then the GRE tunnel is converted into a secure VPN GRE tunnel through the addition of IPSec. With the use of Generic Route Encapsulation (GRE) tunnels in addition to IPSec, Multi Protocol traffic can be carried between the two sites. It also enables the end stations to use private address space rather than registered IP addresses by means of encapsulating the IP packet in tunnelling protocol. It is illustrated in Figure 3. Figure 3 - Generic Route Encapsulation as the carrier protocol of IP The payload of an IP packet is encrypted using Encapsulating Security Payload (ESP). It is illustrated in Figure 4. Figure 4 IPSec Encapsulating Security Payload The header provides the protocol carried in the payload. The encryption transforms used in ESP are Data Encryption Standard (DES) and NULL encryption algorithms. Security Features Through Internet Protocol Security (IPSec), better encryption algorithms and authentication schemes are provided [7]. Encryption is the process of encoding the data to be transmitted into a form such that only the intended computer will decode the data [10, 11]. There are two types of encryption Symmetric-key encryption and Public-key encryption. In Symmetric-key encryption, the same private key is used by both the sender and the receiver to encrypt and decrypt the data. In public-key encryption, public key is used for encryption and private key is used for decryption. There are two encryption modes in IPSec Tunnel and Transport. The payload alone is encrypted in Transport mode while both the header and payload are encrypted in Tunnel mode. Data transmitted between various devices such as router-router, Firewall-router, PC-router and PC-Server are encrypted by IPSec. Advantages Low cost and scalability. Flexibility for business partners to have secured virtual connections to the network. Secured communication among the users. Disadvantages VPNs require a thorough understanding of the security issues of the public network and proper methods have to be deployed to overcome the issues. Implementation of VPNs needs additional protocols other than IP and hence they should be able to accommodate them. The performance of the VPN and its availability largely depends on external factors and hence not able to control. Applications Suited for organizations which have geographically separated offices and secured communication between them is an essential criterion. Remote Access VPN (Telework connectivity) without cryptographic technology It is also called Virtual Private Dial-up Network (VPDN). It enables the remote employees of the company to be connected to the private network through Enterprise Service Provider (ESP). The ESP provides a Network Access Server (NAS) and the desktop client software is used by the remote users to access the corporate network. Figure 5 shows the network diagram of Remote Access VPN. Figure 5 Network diagram of Remote Access VPN A NAS is the server which connects the user with the internet and provides access to the VPN by valid user authentication. The tunnelled connection to a Network Access Server is set up by the client software by its Internet address. Advantages It incurs low cost for the implementation of remote access VPN. Remote workers can easily communicate with the office. Disadvantages Security Issues If the computer used to connect remote access VPN is not provided by the company, it is susceptible to security issues like virus which may also affect the company network [5, 6]. Applications Remote-access VPN uses public network like internet to access the organizations network. Hence they are largely employed where the remote employees uses wi-fi or other technologies to access the internet and get connected to their corporate network. Secure Socket Layer (SSL) VPN for remote access IPSec or SSL is used by the remote-access VPN to establish secure connection to the network [3]. SSL VPN can be used with the standard web browser which does not require the installation of specialized client software as in the case of IPSec. It allows the remote users to access the client/server applications, web applications and internal network applications. SSL protocol or Transport Layer Security Protocol (TLS) is used to encrypt the traffic between SSL VPN device and web browser. Advantages SSL VPN provides secured network access to remote employees and also they provide some limited network access to business partners. This greatly improves the business productivity while maintaining security. Disadvantages Network Traffic Many simultaneous VPN connections increase the network traffic and slow down the speed and reduce the bandwidth. Network Delays and disconnections Since the virtual connections are made through public network, delays and disconnections may occur. Since the authentication has to be re-established after disconnection, it incurs additional delay. Applications SSL VPN finds applications in organization where remote employees need secured access to the corporate network thus improving business productivity and reducing the communication costs. VPN design and implementation factors The factors to be considered in VPN design and implementation are: Type of VPN Remote Access or Site-to-Site or combination Application to be met time constraints, bandwidth requirement, security requirements etc.,[2] Required levels of protection Authentication, Encryption etc., Scalability of the network geographical span, cost of implementation etc., Support and Management of the network Policies and Configuration, Authentication, accounting, QOS, Routing and backup paths etc.,[8] Maintenance of the Network By contractor or ISP, cost factor etc., VPN Implementation considerations The following factors are to be considered in the implementation of Site-to-Site VPN. Access Control: The business partners are not allowed to access all the information of the company and they should have limited access. Data Confidentiality: The data should be hidden while travelling through the partners intranet. The factors to be considered in the implementation of Remote Access VPN are Data Confidentiality and authentication, addressing and routing issues and multiprotocol support. To build the optimal virtual networks across multiple domains is an essential technology to offer flexible services [12]. Conclusion This report discusses the implementation of two types of VPN Multiple business sites and Tele worker. The principle behind Virtual Private Network is explained with its types. The implementation of both networks with and without IPSec, applications, advantages and disadvantages are summarized. The security and tunneling methods of VPN are discussed. The design and implementation factors are analyzed. References A comprehensive guide to virtual private networks. IBM Corp., 1999. Cui and M. A. Bassiouni, Virtual private network bandwidth management with traffic prediction,Computer Networks, vol. 42, no. 6, pp. 765778, 2003. Mao, L. Zhu, and H. Qin, A Comparative Research on SSL VPN and IPSec VPN,2012 8th International Conference on Wireless Communications, Networking and Mobile Computing, 2012. Cameron and N. R. Wyler, Defining a Firewall,Juniper Networks Secure Access SSL VPN Configuration Guide, pp. 145, 2007. Utilizing Virtual Private Network (VPN) Technology for Remote Access Connectivity,Building Cisco Remote Access Networks, pp. 113149, 2000. Lee, J. Nah, and K. Jung, The remote access to IPsec-VPN gateway over mobile IPv6,The 7th International Conference on Advanced Communication Technology, 2005. Adeyinka, Analysis of problems associated with IPSec VPN Technology,2008 Canadian Conference on Electrical and Computer Engineering, 2008. Zeng and N. Ansari, Toward IP virtual private network quality of service: a service provider perspective,IEEE Communications Magazine, vol. 41, no. 4, pp. 113119, 2003. Sampalli, Security in Virtual Private Networks,Network Security, pp. 5163. Understanding Authentication and Encryption,Virtual Private Networking A Construction, Operation and Utilization Guide, pp. 2352, 2005. G. Krishnan and V. Wilson, Improving security in a virtual network by using attribute based encryption algorithm,2016 International Conference on Circuit, Power and Computing Technologies (ICCPCT), 2016. Mano, T. Inoue, D. Ikarashi, K. Hamada, K. Mizutani, and O. Akashi, Efficient Virtual Network Optimization across Multiple Domains without Revealing Private Information,IEEE Transactions on Network and Service Management, pp. 11, 2016. QOS Capabilities for Building MPLS VPN,IJSR International Journal of Science and Research (IJSR), vol. 5, no. 5, pp. 22472251, May 2016. Firewalls and Virtual Private Networks - Wiley: Home. [Online]. Available: https://www.wiley.com/legacy/compbooks/press/0471348201_09.pdf. Virtual Private Networks - Washington University... [Online]. Available: https://www.cse.wustl.edu/~jain/cis788-99/ftp/h_7vpn.pdf.