Post on 12-Apr-2017
transcript
1
MS-IS Synopsis DefenseDate: 05-10-2015
Performance Analysis of VPN at Different Levels of Virtualized Data Center
2
ByMuhammad Kamran
10727
Supervised ByDr. Muhammad YousafAssistant Professor
3
Data Center
Data Center is a central repository that contains servers, network devices (switch, Router), security devices (Firewall, IDS, IPS) and storage devices (FC SANS, ISCSI SANS, NAS).
Data center provides all the IT related services from single location.
Physical Data Center Collection of physical resources (Servers, Switches, Routers, Firewalls, SANs) that connected with each others through physical links.Virtualized Data Center Data center where some of the hardware (e.g., servers, routers, switches, and links) are virtualized.
Virtual Data Center Data center where all of the hardware (e.g., servers, routers, switches, and links) are virtualized.
4
Data Center types
5
Data Center Physical Infrastructure
Fibre ChannelStorage
FibreChannelEthernet
NFSStorage
iSCSIStorage
Network
ApplicationsOperating System Physical Host
5
Virtual Data Center Infrastructure
Hypervisor
Host
Hypervisor
Hypervisor
Hypervisor
Hypervisor
FibreChannel
Fibre ChannelStorage
Ethernet
NFSStorage
iSCSIStorage
Network
Virtual Machines
66
BareMatel (Type1)
Install as operation System.
VMware Esxi, Microsoft Hyperv, Citrix XEN, Linux KVM.
7
Hypervisor
Virtual architecture
Hypervisor
Physical architecture
x64 architecture
operating system
application
virtual switch
x64 architecture
Virtual Network
88
Virtual Switch
Physical Switch
Virtual Network Load balancing
99
VPN is a widely deployed mechanism for improving the security of data center. It provides:
– Enhanced Security– Remote Control– Online Anonymity– Unblock Websites & Bypass Filters– Better Performance– Reduce Costs.
VPN
10
• Virtualization provide services to external users like Cloud Computing Services, and to provide security for the connections to internal network, one of the ways is to establish a VPN connection/channel between end points. • VPN are mostly deployed on firewalls.• Deploying VPN for secure communication in not just Physical datacenter but in virtualized environment, there comes problems of Performance, Security, Reliability, Stability and Availability for the Network.
Problem Statement
11
Related Work \ Literature Survey
The research on VPN and its impacts on different techniques are mentioned in the tabular form. Mostly techniques involve the effect of VPN on security and performance.
12
No. Reference Analysis Results
1. [1] The analysis of IPSec and SSL in terms of Security and Performance produced that IPSec/SSL depends on security needs
IPSec performs betters when compared to SSL, against all security algorithms (DES, 3DES, AES, BlowFish)
2. [2] Performance evaluation of IPSec, PPTP, SSL is done with different security algorithms (3DES, BlowFish, AES) on Different Operating Systems (Windows 2003, Linux, Vista).
•In PPTP the difference of performance is negligible but when it comes to DES and AES Linux gives lowest throughput with highest CPU Usage •Windows 2003 is the lowest consumer of CPU except IPSec traffic. Vista almost gives the same results as Linux
3. [3] Effects of video and audio streaming on performances over VPN technology with Novell Netware and Windows 2000
The CPU usage obtained on the Novell platform, the differences are significant. The utilization in Windows never goes more than 4 % but with the Novell platform it touched 10 % for a single encrypted tunnel
4. [4] A performance comparison of OpenVPN and IPSec based VPN measurements including throughput, same cipher and key length
From implementation point of view author decided to choose OpenVPN, due to its simplicity and fast and straightforward implementation
5. [5] To investigate the impact of using VPN together with firewall on cloud computing performance
1.The integration of VPN with Firewall in cloud computing willreduce the throughput 2.No traffic received for e-mail application in Cloud-computing with Firewall and no VPN.3.In web browsing applications, there would be traffic sent and received in the case of cloud computing with VPN and withoutVPN.
6. [7] Impact of protocols (SSL, PPTP, IPSec) on end-to-end user application performance using metrics such as throughput, RTT, jitter, and packet loss on windows XP SP/2 host (vpn client) connected to a windows server 2003 host (vpn server) ) and to a fedora core 6 host (vpn server)
TCP Throughput: PPTP on windows server 2003 is the first,PPTP on fedora core 6 is the second, OpenVpn on fedora core 6 is the third,L2TP/IPsec on fedora core 6 is the forth,L2TP/IPsec on windows server 2003 is the fifth,OpenVpn on windows server 2003 is the last in the TCP throughput
RTT: PPTP on windows server 2003 is the first, PPTP on fedora core 6 is the second,L2TP/IPsec on windows server 2003 is the third,OpenVpn on fedora core 6 is the forth,OpenVpn on windows server 2003 is the fifth,L2TP/IPsec on fedora core 6 is the last in RTT
UDP Throughput: PPTP on windows server 2003, PPTP on fedora core 6, L2TP/IPSec on windows server 2003, and L2TP/IPSec on fedora core 6 the UDP throughput is equal to the transmission rate if the transmission rate is less than 8000 kbits/sec and is less than the transmission rate if the transmission rate is more than 8000 kbits/sec,
OpenVpn on windows server 2003 and OpenVpn on fedora core 6 the UDP throughput is equal to the transmission rate if the transmission rate is less than 200 kbits/sec and is less than the transmission rate if the transmission rate is more than 200 kbits/sec.
7. [8] Analysis includes performance measurement, link quality and stability analysis, feature comparison, interaction with TCP/IP protocols
The results are dramatic loss of performance and throughput because of encapsulation and authentication techniques and than adding VPN increase complexity and calculations. This study draw the result that IPSec’s performance is the lowest compared to PPTP/L2TP
8. [9] To secure voice over IPSec VPNs while guaranteeing the performance and quality of services, without reducing the effective bandwidth by using the AVISPA model
Newer VoIP over VPN security solution that adopts IPSec tunneling protocol in combination with cRTP and IPHC compressions technologies and uses SIP to exchange IPSec parameters. This solution provides security for voice traffic and guarantees performance and quality of services, without reducing the effective bandwidth
9. [10] Analysis based on structure, security and benefits of VPN technology for corporate networks
VPN technology can provide highly secure communications between corporate networks and their branch-offices, remote employees, or business partners. VPN provides communication at low cost and require little management skills from the administrators.
The limitation in all of the previous studies are:1. Implementations are done not done on different
levels of Virtual Environment2. Implementations are specific to old versions of
OS [2]3. security/performance is main concern of IPSec
and SSL VPN not other attributes like availability [1]
4. Performance measurements doesn’t include virtual architecture [1]
Limitations of Existing Techniques
19
5. No QOS, No Site-Site VPN Analysis of Multimedia Application [3]
6. Decrease in traffic flow when VPN is deployed in Cloud Computing (Doesn’t include the study of VPN when firewall is deployed as :Physical FW, Appliance FW, Distributed FW: with VPN?) [5]
7. Software VPNs have a significant impact on performance, producing high CPU usage and limiting network throughput [6]
20
8. No Performance evaluation of the remote access VPN protocols on Software/Hardware VPN [7]
21
Proposed Solution
VPN Performance on FW as Hardware in VDC
VPN Performance on FW as VA in VDC
VPN Performance on FW as Application in VDC
VPN Performance on Integrated & Distributed FW in VDC
I want to compare the VPN performance in Virtualized Environment (DC) on these scenarios:
22
Data Center Topology
Hypervisor
Hypervisor
Ethernet
iSCSIStorage Network
Host1 Host2
23
24
Scenario:1 IPSec/SSL in Hardware FW
Virtual Switch
Firewall
Physical SwitchIPSec/SSL Connection
24
Hypervisor
VM1 VM2 VM05 VM3 VM4
NSX Network Virtualization
Logical L2
LogicalFirewall
LogicalLoad Balancer
Logical L3
LogicalVPN
IPSec/SSL Connection
Scenario:2 IPSec/SSL in Integrated & Distributed FW
25
Hypervisor
VM1 VM2FirewallAppliance VM3 VM4
Scenario:3 IPSec/SSL in FW as Appliance
IPSec/SSL Connection
26
Hypervisor
VM1 VM2 VM3 VM4
Scenario:4 IPSec/SSL in FW as Application
IPSec/SSL Connection
27
Performance Comparison
• Performance of IPSec/SSL VPN deployment strategies will be compared base on Communication Delays, Data Rate, CPU Usage on different levels of Virtualization.
Performance:
28
Virtualized data center on VMware hypervisor
VMware vCenter for management of virtualized data center 4 Virtual machines with Win Server 2012 OS
FTP Server on 2nd VM
DHCP Server on 3rd VM
Active Directory Server , DNS Server on 4th VM
Proposed Methodology
29
2 Hypervisor Hosts– Processor Dual Core 3.0 GHz– RAM 16GB, Disk 80 GB ,2 NIC 1gbs
30
Physical Servers
ISCSI SAN− Processor Dual Core 3.0 GHs− Ram 4 GB, Disk 250 GB, NIC 1gbs
VCenter Server− Processor Dual Core 3.0 GHz− RAM 8GB, Disk 80 GB ,1 NIC
1gbs
Cisco ASA 5505 Firewall
Cisco ASA 100v Virtual Appliance
Pfsense Software Firewall
Vmware NSX Distribute firewall
31
Firewall
− VMware ESXI 5.5 Hypervisor− VMware Vcenter 5.5 − VMware web client− VMware vclient − Startwind ISCSI software SAN− Vmware NSX− Microsoft Server 2012 R2− Microsoft DNS/AD/DHCP
32
Hypervisor/Software
TimelineActual Work Time Required
Create Virtualized Data Center 2 WeeksInstallation of Network Monitoring and Analysis
tools1 Week
Installation and Configuration of FW Scenarios 2 Weeks
Creation and Configuration of Network devices 1 WeekCreation and Configuration of VPN between
end nodes1 Week
Analysis/Measurement of traffic for each scenario/level
1 Month
Finalizing Results 2 Weeks
Write-up of Analysis 3 Weeks
Final Report 1-2 Weeks
Summary• This study will be actual implementation of VPN
(IPSec/SSL) on 4 different levels of virtualization. The performance measurement of VPN on all these levels based on Delays, Bandwidth and Throughput. This will gives us results as what kind of VPN perform better in different scenarios.
1. AbdelNasir Alshamsi and Takamichi Saito, "A Technical Comparison of IPSec and SSL", Advanced Information Networking and Applications, 2005. AINA 2005. 19th International Conference.
2. Shaneel Narayan, Kris Brooking, Simon de Vere, "Network Performance Analysis of VPN Protocols: An empirical comparison on different operating systems", Networks Security, Wireless Communications and Trusted Computing,. NSWCTC, April 2009.
3. Samir Al-Khayatt, Siraj A. Shaikh, Babak Akhgar, Jawed Siddiqi, “Performance of Multimedia Applications with IPSec Tunneling”, Information Technology: Coding and Computing, International Conference, April 2002.
35
References
4. I. Kotuliak, P. Rybár, P. Trúchly, “Performance Comparison of IPsec and TLS Based VPN Technologies”, Emerging eLearning Technologies and Applications (ICETA), 2011 9th International Conference.
5. Ameen, Siddeeq Y, Nourildean, Shayma Wail, “Firewall and VPN Investigation on Cloud Computing Performance”, International Journal of Computer Science and Engineering Survey 5.2 (Apr 2014).
6. Pena, C.J.C.; Evans.J, "Performance evaluation of software VPNs (VPN)", Local Computer Networks, 2000. LCN 2000. Proceedings. 25th Annual IEEE Conference 2000.
7. Ahmed A. Joha, Fathi Ben Shatwan, Majdi Ashibani, “Performance Evaluation for Remote Access VPN on Windows Server 2003 and Fedora Core 6”, Telecommunications in Modern Satellite, Cable and Broadcasting Services, 2007. TELSIKS, 8th International Conference 2007.
8. T. Dierks and E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.2”, IETF RFC 5246, 2008
9. Thomas Berger, "Analysis of Current VPN Technologies", Availability Reliability and Security, 2006. ARES 2006 IEEE, April 2006
10. Wafaa Bou Diab, Samir Tohme, Carole Bassil, “VPN Analysis and New Perspective for Securing Voice over VPN Networks”, Networking and Services, 2008, ICNS International Conference 2008.
11. Ayhan ERDOĞAN, Dz. Yzb, “Virtual Private Networks (VPNs) : A Survey”, Institute of Naval Sciences and Engineering 2008.
38
Any Question
End …