VPN Virtual Private Networks Mathias Schäfer WS 2003/2004
Overview 2 Overview Why VPNs VPN-use-cases Requirements Security Performance Conclusion
Why VPNs 3 Why VPNs In business-solutions VPN-technology gains in weight Enterprises are acting more and more on global range There is the need of cost-effective solutions to integrate satillite workplaces, like branch offices suppliers field services into an enterprise-network
VPN-use-cases 4 VPN-use-cases Enterprises are usually composed of Head office Branch offices Outdoor staff additionally there are suppliers which are not really part of the company
VPN-use-cases 5 VPN-use-cases To reflect business-processes in the companys network structure all components of the whole enterprise need to be integrated VPN-types are classified similar to the use cases Remote-Access-VPN - field services Branch-Office-VPN - Branch offices Extranet-VPN - Suppliers
6 Conventional solutions mostly use wired or dial-in connections between both endpoints These connections get very expensive in case of long distance or international linking On central office side lots of connection interfaces are needed to fulfil all connection requests
7 VPN-technology concretely Internet-VPN- or IP-VPN-technology uses the available Internet to split long-distance connections Instead of establishing connections between endpoints there is only the need of connecting endpoints to the nearest Internet-node Decrease of distance and fees
8 Remote-Access In case of Remote-Access for outdoor staff, there are many connections needed Usually there are ppp-dial-in connections used to establish links between outdoor staff and head office A Remote-Access-Concentrator (RAC) is used to terminate connections on head office side Normally the RAC is connected to the providers telephone-network using PMX
9 Remote-Access
10 Remote-Access-VPN In case of Internet-VPN-technology usage, the outdoor staff connects to the Internet via any link-technology which is provided by local ISP Head office is connected to the Internet via one broadband link, there is a VPN-Concentrator instead of the RAC The data link connection is implemented as a tunnelconnection through the Internet, and is terminated inside the VPN-Concentrator
11 Remote-Access-VPN
12 Branch-Office Conventional connection-types for the link between branch-office-networks and the head-office-network, are normally based on wired technology, ATM or Frame Relay Router-equipment on both sides of this connection terminates the link Similar to Remote-Access the costs of this solution depend on the distance and get very high in case of international connections
13 Branch-Office
14 Branch-Office-VPN In case of Branch-Office-VPN the router-equipment is replaced by VPN-gateways which terminate the virtual tunnel-connection between the endpoints Both endpoints are physically connected only to the Internet not to their opposite
15 Branch-Office-VPN
16 Extranet-VPN To allow faster reaction it is advisable to integrate suppliers into the companys network They should have limited access, because they are not really part of the company Usally Firewalls limit the access to the Intranet, apart from that the structure is similar to a Branch-Office- VPN
17 Extranet-VPN
Requirements 18 Requirements Security Confidential information Transmitted information has to be protected against unauthorized access Integrity of information Transmitted information must not be altered during transmission Authentification Authenticity of communication-partners has to be proved and warranted during connection-time
Requirements 19 Requirements Availability There has to be a guaranted availability of service Maximum downtime or minimum uptime percentages are agreed by contract with service provider in SLAs
Requirements 20 Requirements Performance Minimum bandwith and maximum latency are the main performance aspects of a connection In case of Internet-VPNs it is normally not possible for a service provider to guarantee these parameters SLAs mostly declare contractual penaltys
21 Principle Tunnling is implemented by encapsulation of datapakets during transmission
22 -models There are differentiated tunneling-models End-to-End-Model No service provider is involved in the tunneling process, except for providing the internet-connection Intra-Provider-Model The company is not involved in the tunneling process Provider-Enterprise-Model Mixed configuration, one side is provided by the service provider, the other side belongs to the company
23 End-to-End-Model
24 Intra-Provider-Model
25 Provider-Enterprise-Model
26 IP-Security-Protocol IPSec IPSec was developed for security reasons, so there are many security-options to choose As an option there is an IPSec-tunneling-mode, with the ability of tunneling exclusively IP-Pakets The connection-partners use unidirectional SAs which represent the configuration of an established IPSec-link
27 IP-Security-Protocol IPSec IPSec uses symmetric encryption, where the key-exchange is done with the Internet-Key-Exchange Protocol For authentification IPSec supports Pre-Shared-Secret procedures Public Key methods Certification proceedings IPSec hides the structure of the internal network by encrypting the internal ip-header
28 IP-Security-Protocol IPSec IPSec's primary tunneling-model is the end-to-end-model, so the client needs an IPSec-implementation Software-implementations are available for nearly all operation systems
29 IP-Security-Protocol IPSec
30 Layer 2 Protocol L2TP L2TP encapsulates PPP-Frames, that allows tunneling of all layer 3 pakettypes which are supported by PPP L2TP is designed as a tunneling protocol, not for security reasons, it supports only weak CHAP-like authentification and encryption of the control-channel As the consequence, security has to be implemented on other levels
31 Layer 2 Protocol L2TP The Provider-Enterprise-Model for Remote-Access is the primary model used for L2TP-implementations Instead of the normal RAC a L2TP Access Concentrator is used
32 Layer 2 Protocol L2TP Decisions how to handle incoming calls are made by called number or by prefix or suffix of the user-id If indicated a tunnel to the enterprise-sided L2TP Network Server is established by the LAC This enables compulsory tunneling
33 Layer 2 Protocol L2TP
34 Layer 2 Protocol L2TP If used in the end-to-end-model, the functionality of LAC is implemented in client-side software This implicits voluntary tunneling
35 IPSec secured L2TP L2TP/IPSec Combining L2TP and IPSec enables securityoptions supplied by IPSec and pakettype-flexibility of L2TP This causes a lot of overhead, which forces the decision to change over to IP-based applications to enable usage of IPSec without L2TP
36 IPSec secured L2TP L2TP/IPSec
37 IPSec secured L2TP L2TP/IPSec Also other combinations are possible and suggestive of IPSec in end-to-end-model inside L2TP in provider-enterprise-model for example enables compulsatory tunneling with IPSec security
Security 38 Security If security-opions are needed, IPSec is the protocol to choose The used cryptographic algorithms are considered as secure nowadays IPSec's security-functionality offers Encryption Authentification Paketintegrity Hiding of internal networkstructures Protection from Replay- and Denial-of-Service-Attacks If additionally other pakettypes than IP are used, IPSec/L2TP is the only mechanism that fulfills both needs
Performance 39 Performance In addition to the provider- and connection-dependent performance-aspects, the used hardware is also relevant to the performance of VPNs In case of IPSec the cryptographic algorithms need a lot of computing power Dedicated VPN-Equipment often uses specialized cryptographic processing units, which offering much better performance than normal cpu's
Performance 40 Performance In case of L2TP there are a lot of PPP-sessions which have to be terminated primarily at L2TP Network Servers There are components which are constructed as scalable, so that they can fulfil increased needs If L2TP/IPSec is used, increased attention has to be payed to performance-aspects
Conclusion 41 Conclusion Internet-VPN-technology offers cost-effective solutions if planned in detail If all components are well choosed, IPSec offers highsecurity solutions, also for major projects Most important milestone on the way to implement VPNs is a detailed analysis of needs