1

MS-IS Synopsis DefenseDate: 05-10-2015

Performance Analysis of VPN at Different Levels of Virtualized Data Center

2

ByMuhammad Kamran

10727

Supervised ByDr. Muhammad YousafAssistant Professor

3

Data Center

Data Center is a central repository that contains servers, network devices (switch, Router), security devices (Firewall, IDS, IPS) and storage devices (FC SANS, ISCSI SANS, NAS).

Data center provides all the IT related services from single location.

Physical Data Center Collection of physical resources (Servers, Switches, Routers, Firewalls, SANs) that connected with each others through physical links.Virtualized Data Center Data center where some of the hardware (e.g., servers, routers, switches, and links) are virtualized.

Virtual Data Center Data center where all of the hardware (e.g., servers, routers, switches, and links) are virtualized.

4

Data Center types

5

Data Center Physical Infrastructure

Fibre ChannelStorage

FibreChannelEthernet

NFSStorage

iSCSIStorage

Network

ApplicationsOperating System Physical Host

5

Virtual Data Center Infrastructure

Hypervisor

Host

Hypervisor

Hypervisor

Hypervisor

Hypervisor

FibreChannel

Fibre ChannelStorage

Ethernet

NFSStorage

iSCSIStorage

Network

Virtual Machines

66

BareMatel (Type1)

Install as operation System.

VMware Esxi, Microsoft Hyperv, Citrix XEN, Linux KVM.

7

Hypervisor

Virtual architecture

Hypervisor

Physical architecture

x64 architecture

operating system

application

virtual switch

x64 architecture

Virtual Network

88

Virtual Switch

Physical Switch

Virtual Network Load balancing

99

VPN is a widely deployed mechanism for improving the security of data center. It provides:

– Enhanced Security– Remote Control– Online Anonymity– Unblock Websites & Bypass Filters– Better Performance– Reduce Costs.

VPN

10

• Virtualization provide services to external users like Cloud Computing Services, and to provide security for the connections to internal network, one of the ways is to establish a VPN connection/channel between end points. • VPN are mostly deployed on firewalls.• Deploying VPN for secure communication in not just Physical datacenter but in virtualized environment, there comes problems of Performance, Security, Reliability, Stability and Availability for the Network.

Problem Statement

11

Related Work \ Literature Survey

The research on VPN and its impacts on different techniques are mentioned in the tabular form. Mostly techniques involve the effect of VPN on security and performance.

12

No. Reference Analysis Results

1. [1] The analysis of IPSec and SSL in terms of Security and Performance produced that IPSec/SSL depends on security needs

IPSec performs betters when compared to SSL, against all security algorithms (DES, 3DES, AES, BlowFish)

2. [2] Performance evaluation of IPSec, PPTP, SSL is done with different security algorithms (3DES, BlowFish, AES) on Different Operating Systems (Windows 2003, Linux, Vista).

•In PPTP the difference of performance is negligible but when it comes to DES and AES Linux gives lowest throughput with highest CPU Usage •Windows 2003 is the lowest consumer of CPU except IPSec traffic. Vista almost gives the same results as Linux

3. [3] Effects of video and audio streaming on performances over VPN technology with Novell Netware and Windows 2000

The CPU usage obtained on the Novell platform, the differences are significant. The utilization in Windows never goes more than 4 % but with the Novell platform it touched 10 % for a single encrypted tunnel

4. [4] A performance comparison of OpenVPN and IPSec based VPN measurements including throughput, same cipher and key length

From implementation point of view author decided to choose OpenVPN, due to its simplicity and fast and straightforward implementation

5. [5] To investigate the impact of using VPN together with firewall on cloud computing performance

1.The integration of VPN with Firewall in cloud computing willreduce the throughput 2.No traffic received for e-mail application in Cloud-computing with Firewall and no VPN.3.In web browsing applications, there would be traffic sent and received in the case of cloud computing with VPN and withoutVPN.

6. [7] Impact of protocols (SSL, PPTP, IPSec) on end-to-end user application performance using metrics such as throughput, RTT, jitter, and packet loss on windows XP SP/2 host (vpn client) connected to a windows server 2003 host (vpn server) ) and to a fedora core 6 host (vpn server)

TCP Throughput: PPTP on windows server 2003 is the first,PPTP on fedora core 6 is the second, OpenVpn on fedora core 6 is the third,L2TP/IPsec on fedora core 6 is the forth,L2TP/IPsec on windows server 2003 is the fifth,OpenVpn on windows server 2003 is the last in the TCP throughput

RTT: PPTP on windows server 2003 is the first, PPTP on fedora core 6 is the second,L2TP/IPsec on windows server 2003 is the third,OpenVpn on fedora core 6 is the forth,OpenVpn on windows server 2003 is the fifth,L2TP/IPsec on fedora core 6 is the last in RTT

UDP Throughput: PPTP on windows server 2003, PPTP on fedora core 6, L2TP/IPSec on windows server 2003, and L2TP/IPSec on fedora core 6 the UDP throughput is equal to the transmission rate if the transmission rate is less than 8000 kbits/sec and is less than the transmission rate if the transmission rate is more than 8000 kbits/sec,

OpenVpn on windows server 2003 and OpenVpn on fedora core 6 the UDP throughput is equal to the transmission rate if the transmission rate is less than 200 kbits/sec and is less than the transmission rate if the transmission rate is more than 200 kbits/sec.

7. [8] Analysis includes performance measurement, link quality and stability analysis, feature comparison, interaction with TCP/IP protocols

The results are dramatic loss of performance and throughput because of encapsulation and authentication techniques and than adding VPN increase complexity and calculations. This study draw the result that IPSec’s performance is the lowest compared to PPTP/L2TP

8. [9] To secure voice over IPSec VPNs while guaranteeing the performance and quality of services, without reducing the effective bandwidth by using the AVISPA model

Newer VoIP over VPN security solution that adopts IPSec tunneling protocol in combination with cRTP and IPHC compressions technologies and uses SIP to exchange IPSec parameters. This solution provides security for voice traffic and guarantees performance and quality of services, without reducing the effective bandwidth

9. [10] Analysis based on structure, security and benefits of VPN technology for corporate networks

VPN technology can provide highly secure communications between corporate networks and their branch-offices, remote employees, or business partners. VPN provides communication at low cost and require little management skills from the administrators.

The limitation in all of the previous studies are:1. Implementations are done not done on different

levels of Virtual Environment2. Implementations are specific to old versions of

OS [2]3. security/performance is main concern of IPSec

and SSL VPN not other attributes like availability [1]

4. Performance measurements doesn’t include virtual architecture [1]

Limitations of Existing Techniques

19

5. No QOS, No Site-Site VPN Analysis of Multimedia Application [3]

6. Decrease in traffic flow when VPN is deployed in Cloud Computing (Doesn’t include the study of VPN when firewall is deployed as :Physical FW, Appliance FW, Distributed FW: with VPN?) [5]

7. Software VPNs have a significant impact on performance, producing high CPU usage and limiting network throughput [6]

20

8. No Performance evaluation of the remote access VPN protocols on Software/Hardware VPN [7]

21

Proposed Solution

VPN Performance on FW as Hardware in VDC

VPN Performance on FW as VA in VDC

VPN Performance on FW as Application in VDC

VPN Performance on Integrated & Distributed FW in VDC

I want to compare the VPN performance in Virtualized Environment (DC) on these scenarios:

22

Data Center Topology

Hypervisor

Hypervisor

Ethernet

iSCSIStorage Network

Host1 Host2

23

24

Scenario:1 IPSec/SSL in Hardware FW

Virtual Switch

Firewall

Physical SwitchIPSec/SSL Connection

24

Hypervisor

VM1 VM2 VM05 VM3 VM4

NSX Network Virtualization

Logical L2

LogicalFirewall

LogicalLoad Balancer

Logical L3

LogicalVPN

IPSec/SSL Connection

Scenario:2 IPSec/SSL in Integrated & Distributed FW

25

Hypervisor

VM1 VM2FirewallAppliance VM3 VM4

Scenario:3 IPSec/SSL in FW as Appliance

IPSec/SSL Connection

26

Hypervisor

VM1 VM2 VM3 VM4

Scenario:4 IPSec/SSL in FW as Application

IPSec/SSL Connection

27

Performance Comparison

• Performance of IPSec/SSL VPN deployment strategies will be compared base on Communication Delays, Data Rate, CPU Usage on different levels of Virtualization.

Performance:

28

Virtualized data center on VMware hypervisor

VMware vCenter for management of virtualized data center 4 Virtual machines with Win Server 2012 OS

FTP Server on 2nd VM

DHCP Server on 3rd VM

Active Directory Server , DNS Server on 4th VM

Proposed Methodology

29

2 Hypervisor Hosts– Processor Dual Core 3.0 GHz– RAM 16GB, Disk 80 GB ,2 NIC 1gbs

30

Physical Servers

ISCSI SAN− Processor Dual Core 3.0 GHs− Ram 4 GB, Disk 250 GB, NIC 1gbs

VCenter Server− Processor Dual Core 3.0 GHz− RAM 8GB, Disk 80 GB ,1 NIC

1gbs

Cisco ASA 5505 Firewall

Cisco ASA 100v Virtual Appliance

Pfsense Software Firewall

Vmware NSX Distribute firewall

31

Firewall

− VMware ESXI 5.5 Hypervisor− VMware Vcenter 5.5 − VMware web client− VMware vclient − Startwind ISCSI software SAN− Vmware NSX− Microsoft Server 2012 R2− Microsoft DNS/AD/DHCP

32

Hypervisor/Software

TimelineActual Work Time Required

Create Virtualized Data Center 2 WeeksInstallation of Network Monitoring and Analysis

tools1 Week

Installation and Configuration of FW Scenarios 2 Weeks

Creation and Configuration of Network devices 1 WeekCreation and Configuration of VPN between

end nodes1 Week

Analysis/Measurement of traffic for each scenario/level

1 Month

Finalizing Results 2 Weeks

Write-up of Analysis 3 Weeks

Final Report 1-2 Weeks

Summary• This study will be actual implementation of VPN

(IPSec/SSL) on 4 different levels of virtualization. The performance measurement of VPN on all these levels based on Delays, Bandwidth and Throughput. This will gives us results as what kind of VPN perform better in different scenarios.

1. AbdelNasir Alshamsi and Takamichi Saito, "A Technical Comparison of IPSec and SSL", Advanced Information Networking and Applications, 2005. AINA 2005. 19th International Conference.

2. Shaneel Narayan, Kris Brooking, Simon de Vere, "Network Performance Analysis of VPN Protocols: An empirical comparison on different operating systems", Networks Security, Wireless Communications and Trusted Computing,. NSWCTC, April 2009.

3. Samir Al-Khayatt, Siraj A. Shaikh, Babak Akhgar, Jawed Siddiqi, “Performance of Multimedia Applications with IPSec Tunneling”, Information Technology: Coding and Computing, International Conference, April 2002.

35

References

4. I. Kotuliak, P. Rybár, P. Trúchly, “Performance Comparison of IPsec and TLS Based VPN Technologies”, Emerging eLearning Technologies and Applications (ICETA), 2011 9th International Conference.

5. Ameen, Siddeeq Y, Nourildean, Shayma Wail, “Firewall and VPN Investigation on Cloud Computing Performance”, International Journal of Computer Science and Engineering Survey 5.2 (Apr 2014).

6. Pena, C.J.C.; Evans.J, "Performance evaluation of software VPNs (VPN)", Local Computer Networks, 2000. LCN 2000. Proceedings. 25th Annual IEEE Conference 2000.

7. Ahmed A. Joha, Fathi Ben Shatwan, Majdi Ashibani, “Performance Evaluation for Remote Access VPN on Windows Server 2003 and Fedora Core 6”, Telecommunications in Modern Satellite, Cable and Broadcasting Services, 2007. TELSIKS, 8th International Conference 2007.

8. T. Dierks and E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.2”, IETF RFC 5246, 2008

9. Thomas Berger, "Analysis of Current VPN Technologies", Availability Reliability and Security, 2006. ARES 2006 IEEE, April 2006

10. Wafaa Bou Diab, Samir Tohme, Carole Bassil, “VPN Analysis and New Perspective for Securing Voice over VPN Networks”, Networking and Services, 2008, ICNS International Conference 2008.

11. Ayhan ERDOĞAN, Dz. Yzb, “Virtual Private Networks (VPNs) : A Survey”, Institute of Naval Sciences and Engineering 2008.

38

Any Question

End …