VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias...

transcript

VPNVirtual Private Networks

Mathias Schäfer

WS 2003/2004

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

2Overview

Overview Why VPNs

VPN-use-cases

VPN-technology vs. conventional solutions

Requirements

Tunneling

Security

Performance

Conclusion

3Why VPNs

Why VPNsIn business-solutions VPN-technology gains

in weight

Enterprises are acting more and more on global range

There is the need of cost-effective solutions to integrate satillite workplaces, like branch offices suppliers field services

into an enterprise-network

4VPN-use-cases

VPN-use-cases

Enterprises are usually composed of

Head office

Branch offices

Outdoor staff

additionally there are suppliers which are not really part of the company

5VPN-use-cases

VPN-use-cases

To reflect business-processes in the companys network structure all components of the whole enterprise need to be integrated

VPN-types are classified similar to the use cases

Remote-Access-VPN - field services Branch-Office-VPN - Branch offices Extranet-VPN - Suppliers

6VPN-technology vs. conventional solutions

Conventional solutions mostly use wired or dial-in connections between both endpoints

These connections get very expensive in case of long distance or international linking

On central office side lots of connection interfaces are needed to fulfil all connection requests

VPN-technology concretely Internet-VPN- or IP-VPN-technology uses the available Internet to split long-distance connections

Instead of establishing connections between endpoints there is only the need of connecting endpoints to the nearest Internet-node

Decrease of distance and fees

Remote-Access

In case of Remote-Access for outdoor staff, there are many connections needed

Usually there are ppp-dial-in connections used to establish links between outdoor staff and head office

A Remote-Access-Concentrator (RAC) is used to terminate connections on head office side

Normally the RAC is connected to the providers telephone-network using PMX

Remote-Access

Remote-Access-VPN

In case of Internet-VPN-technology usage, the outdoor staff connects to the Internet via any link-technology which is provided by local ISP

Head office is connected to the Internet via one broadband link, there is a VPN-Concentrator instead of the RAC

The data link connection is implemented as a tunnel-connection through the Internet, and is terminated inside the VPN-Concentrator

Remote-Access-VPN

Branch-Office

Conventional connection-types for the link between branch-office-networks and the head-office-network, are normally based on wired technology, ATM or Frame Relay

Router-equipment on both sides of this connection terminates the link

Similar to Remote-Access the costs of this solution depend on the distance and get very high in case of international connections

Branch-Office

Branch-Office-VPN

In case of Branch-Office-VPN the router-equipment is replaced by VPN-gateways which terminate the virtual tunnel-connection between the endpoints

Both endpoints are physically connected only to the Internet not to their opposite

Branch-Office-VPN

Extranet-VPN

To allow faster reaction it is advisable to integrate suppliers into the companys network

They should have limited access, because they are not really part of the company

Usally Firewalls limit the access to the Intranet, apart from that the structure is similar to a Branch-Office-VPN

Extranet-VPN

18Requirements

RequirementsSecurity Confidential information

Transmitted information has to be protected against unauthorized access

Integrity of informationTransmitted information must not be altered during transmission

AuthentificationAuthenticity of communication-partners has to be proved and warranted during connection-time

19Requirements

RequirementsAvailability

There has to be a guaranted availability of service

Maximum downtime or minimum uptime percentages are agreed by contract with service provider in SLAs

20Requirements

RequirementsPerformance

Minimum bandwith and maximum latency are the main performance aspects of a connection

In case of Internet-VPNs it is normally not possible for a service provider to guarantee these parameters

SLAs mostly declare contractual penaltys

21Tunneling

TunnelingPrinciple

Tunnling is implemented by encapsulation of data-pakets during transmission

22Tunneling

TunnelingTunneling-modelsThere are differentiated tunneling-models

End-to-End-ModelNo service provider is involved in the tunneling process, except for providing the internet-connection

Intra-Provider-ModelThe company is not involved in the tunneling process

Provider-Enterprise-ModelMixed configuration, one side is provided by the service provider, the other side belongs to the company

23Tunneling

TunnelingEnd-to-End-Model

24Tunneling

TunnelingIntra-Provider-Model

25Tunneling

TunnelingProvider-Enterprise-Model

26Tunneling

TunnelingIP-Security-Protocol – IPSec

IPSec was developed for security reasons, so there are many security-options to choose

As an option there is an IPSec-tunneling-mode, with the ability of tunneling exclusively IP-Pakets

The connection-partners use unidirectional SAs which represent the configuration of an established IPSec-link

27Tunneling

IPSec uses symmetric encryption, where the key-exchange is done with the Internet-Key-Exchange Protocol

For authentification IPSec supports Pre-Shared-Secret procedures Public Key methods Certification proceedings

IPSec hides the structure of the internal network by encrypting the internal ip-header

28Tunneling

IPSec's primary tunneling-model is the end-to-end-model, so the client needs an IPSec-implementation

Software-implementations are available for nearly all operation systems

29Tunneling

30Tunneling

TunnelingLayer 2 Tunneling Protocol – L2TP

L2TP encapsulates PPP-Frames, that allows tunneling of all layer 3 pakettypes which are supported by PPP

L2TP is designed as a tunneling protocol, not for security reasons, it supports only weak CHAP-like authentification and encryption of the control-channel

As the consequence, security has to be implemented on other levels

31Tunneling

The Provider-Enterprise-Model for Remote-Access is the primary model used for L2TP-implementations

Instead of the normal RAC a L2TP Access Concentrator is used

32Tunneling

Decisions how to handle incoming calls are made by called number or by prefix or suffix of the user-id

If indicated a tunnel to the enterprise-sided L2TP Network Server is established by the LAC

This enables compulsory tunneling

33Tunneling

34Tunneling

If used in the end-to-end-model, the functionality of LAC is implemented in client-side software

This implicits voluntary tunneling

35Tunneling

TunnelingIPSec secured L2TP – L2TP/IPSec

Combining L2TP and IPSec enables securityoptions supplied by IPSec and pakettype-flexibility of L2TP

This causes a lot of overhead, which forces the decision to change over to IP-based applications to enable usage of IPSec without L2TP

36Tunneling

37Tunneling

Also other combinations are possible and suggestive

Tunneling of IPSec in end-to-end-model inside L2TP in provider-enterprise-model for example enables compulsatory tunneling with IPSec security

38Security

SecurityIf security-opions are needed, IPSec is the protocol to

choose

The used cryptographic algorithms are considered as secure nowadays

IPSec's security-functionality offers Encryption Authentification Paketintegrity Hiding of internal networkstructures Protection from Replay- and Denial-of-Service-Attacks

If additionally other pakettypes than IP are used, IPSec/L2TP is the only mechanism that fulfills both needs

39Performance

Performance

In addition to the provider- and connection-dependent performance-aspects, the used hardware is also relevant to the performance of VPNs

In case of IPSec the cryptographic algorithms need a lot of computing power

Dedicated VPN-Equipment often uses specialized cryptographic processing units, which offering much better performance than normal cpu's

40Performance

Performance

In case of L2TP there are a lot of PPP-sessions which have to be terminated primarily at L2TP Network Servers

There are components which are constructed as scalable, so that they can fulfil increased needs

If L2TP/IPSec is used, increased attention has to be payed to performance-aspects

41Conclusion

Conclusion

Internet-VPN-technology offers cost-effective solutions if planned in detail

If all components are well choosed, IPSec offers high-security solutions, also for major projects

Most important milestone on the way to implement VPNs is a detailed analysis of needs

VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias...

Documents