Analysis of VPN Protocols ECE 646 Final Project Presentation Tamer Mabrouk Touhidur Satiar
Overview VPN Definitions Emergence of VPN Concept of Tunneling VPN Classification Comparison of Protocols Customer Premise Equipment (CPE) Provider Provisioned Future of VPN
Definition of VPN A virtual private network (VPN) is a private network that uses a public network (usually the Internet) to connect remote sites or users together. HQ VPNs can use the Internet to connect: Branch Office Partners/Vendors Internet Telecommuters Mobile User Data centers and branch offices Mobile users and telecommuters Customers, partners and vendors
Emergence of VPN Previous private Networks used to be comprised of leased lines and frame relay or ATM connections to service provider s cloud. Agency B Frame Relay/ATM Switches Agency A Frame Relay/ATM Network Agency A Leased lines Agency B
Emergence of VPN VPNs utilizes public Internet to provide same functionality of legacy private networks. Agency B Routers Agency A Agency A Agency B Internet
Concept of Tunneling Tunnel - virtual connection that uses the internet to transfer data between networks. Tunneling - encapsulation, transmission, and decapsulation of packets Basic building block for VPNs Requires three different protocols: Carrier Protocol Encapsulating Protocol Passenger Protocol
VPN Classifications Two Categories: A. Customer Premise Equipment (CPE) CPE-based VPNs, are implemented within customer premise equipment, where a customer can create their own VPN across an Internet connection without any specific knowledge or cooperation from the service provider.
VPN Classification B. Provider provisioned VPN do not require the deployment of any CPE devices beyond basic internet access. All VPN services and equipment are provided by the service provider s core infrastructure. CPE Based VPN PPTP L2F L2TP Provider provisioned VPN MPLS Layer 2 VPN MPLS Layer 3 VPN IPSec
Comparison of CPE Based Protocols Security Issues: PPTP L2TP IPSec Authentication PPP: PAP, CHAP, EAP PPP: PAP, CHAP, EAP AH(MD5 or SHA), ESP Encryption NONE NONE DES, 3DES Key Management NONE NONE IKE
Comparison of CPE Based Protocols Vulnerabilities: PPTP L2TP IPSec Buffer Overflow NOT RESISTENT NOT RESISTENT NOT RESISTENT Man-In-The-Middle NOT RESISTENT NOT RESISTENT RESISTENT Key-Management NOT APPLICABLE NOT APPLICABLE VULNERABLE Timing Attack NOT RESISTENT NOT RESISTENT NOT RESISTENT
Comparison of CPE Based VPN Interoperability : Worth mentioning L2TP and IPSec
Comparison of CPE Based VPN Performance: Based on throughput and Latency. L2TP utilizes more command and control messages. So throughput may be less than PPTP. But it performs better in high latency network because it uses UDP for its control packets PPTP uses TCP for control packets and also uses less control message which makes it high throughput protocol but makes is vulnerable to high latency network. IPSec uses lot of security related overhead which degrades the performance from both throughput and latency prospective.
Comparison of CPE based VPN Routed Desktop Protocols IPSec IP only PPTP IP, IPX, AppleTalk NetBEUI L2TP IP, IPX, AppleTalk NetBEUI
Comparison of CPE based VPN Implementation of Protocols in OSI reference model SSL SOCKS v.5 Sun.Net, TCP IPSec L2TP, PPTP,L2F KG, KIV 7. Application 6. Presentation 5. Session 4. Transport 3. Network 2. Data link 1.Physical
Comparison of Provider Provisioned Based VPNs Security issues: Both MPLS Layer 2 and Layer 3 VPNs do not provide Encryption, Authentication or Key management functionalities.
Comparison of Provider Provisioned Based VPNs Deployment Considerations: MPLS Layer 3 MPLS Layer 2 Implementation Configuration & Management Requires high end devices. Complex and more challenging Can be implemented with simpler devices. Simple Cost More expensive Less expensive
Comparison of Provider Provisioned Based VPNs Interoperability: IPSec can be incorporated with layer 2 and layer 3 MPLS infrastructure to provide strong authentication, encryption and confidentiality.
Comparison of Provider Provisioned Based VPNs Performance: MPLS layer 2 VPNs are more efficient and produce higher throughput because of the overall less complexity of route look-ups and less encapsulation then layer 3 VPNs.
Comparison of Provider Provisioned Based VPNs Multi protocol Support: MPLS Layer 3 VPN MPLS Layer 2 VPN Protocols IP only Any layer 3 protocol ( IP,IPX, DecNet etc) IPV6 Support None Capable and integrated into the protocol
Future of VPN Voice and Video over VPN: Integration of IP telephony, Quality of Service and IPSec guarantees timely delivery of latency sensitive voice of video data. SSL VPN: Provides IPSec VPN functionality without using client software by using Secure Socket Layer technology.