Lesson 12:Understanding Virtual Private Networks

VPNs are a common topic today. Just about everyone is talking about implementing one. This module explains what a VPN is and covers the basic VPN technology. We’ll also go through some examples of VPNs including a return on investment analysis.

The Agenda

- What Are VPNs?

- VPN Technologies

- Access, Intranet, and Extranet VPNs

- VPN Examples

What Are VPNs?

Simply defined, a VPN is an enterprise network deployed on a shared infrastructure employing the same security, management, and throughput policies applied in a private network.

A VPN can be built on the Internet or on a service provider’s IP, Frame Relay, or ATM infrastructure. Businesses that run their intranets over a VPN service enjoy the same security, QoS, reliability, and scalability as they do in their own private networks.

VPNs based on IP can naturally extend the ubiquitous nature of intranets over wide-area links, to remote offices, mobile users, and telecommuters. Further, they can support extranets linking business partners, customers, and suppliers to provide better customer satisfaction and reduced manufacturing costs. Alternatively, VPNs can connect communities of interest, providing a secure forum for common topics of discussion.

Virtual Private Networks

Building a virtual private network means you use the “public” Internet (or a service provider’s network) as your “private” wide-area network.

Since it’s generally much less expensive to connect to the Internet than to lease your own data circuits, a VPN may allow to you connect remote offices or employees who wouldn’t ordinarily justify the cost of a regular WAN connection.
VPNs may be useful for conducting secure transactions, or transferring highly confidential data between offices that have a WAN connection.

Some of the technologies that make VPNs possible are:

- Tunneling
- Encryption
- QoS
- Comprehensive security

Why Build a VPN?

Why should customers consider a VPN?

- Company information is secured
-VPNs allow vital company information to be secure against unwanted intrusion

- Reduce costs

- Internet-based VPNs offer low-cost connectivity from anywhere in the world, and can be considered a viable replacement for leased-line or Frame Relay services

Using the Internet as a replacement for expensive WAN services can cut costs by as much as 60 percent, according to Forrester Research

- Also lower remote costs by connecting a mobile user over the Internet. (Often referred to as a virtual private dial-up networking, or VPDN).

- Wider connectivity options for users

- A VPN can provide more connectivity options (for example, over cable, DSL, telephone, or Ethernet)

- Increased speed of deployment

- Extranets can be created more easily (you don’t wait for suppliers). This keeps the customer in control of their own destiny.

However, for an Internet-based VPN to be considered as a viable replacement for leased-line or Frame Relay service, it must be able to offer a comparable level of security, quality of service, and reliability.

What’s Driving VPN Offerings?

The strain on today's corporate networks is greater than ever before. Network managers must continually find ways to connect geographically dispersed work groups in an efficient, cost-effective manner. Increasing demands from feature-rich applications used by a widely dispersed workforce are causing businesses of all sizes to rethink their networking strategies. As companies expand their networks to link up with partners, and as the number of telecommuters and remote users continues to grow, building a distributed enterprise becomes ever more challenging.
To meet this challenge, VPNs have emerged, enabling organizations to outsource network resources on a shared infrastructure. Access VPNs in particular appeal to a highly mobile work force, enabling users to connect to the corporate network whenever, wherever, or however they require.

Networked Applications

The traditional drivers of network deployment are also driving the deployment of VPNs.

New networked applications, such as videoconferencing, distance learning, advanced publishing, and voice applications, offer businesses the promise of improved productivity and reduced costs. As these networked applications become more prevalent, businesses are increasingly looking for intelligent services that go beyond transport to optimize the security, quality of service, management and scalability/reliability of applications end to end.

Example of a VPN

This what a VPN might look like for a company with offices in Munich, New York, Paris, and Milan.

VPN Technologies

Let’s take a look at some of the technologies that are integral to virtual private networks.

VPN Technology Building Blocks

Business-ready VPNs rely on both security and QoS technologies. Let’s take a look at both of these in more detail.

Security

Deploying WANs on a shared network makes security issues paramount. Enterprises need to be assured that their VPNs are secure from perpetrators observing or tampering with confidential data passing over the network and from unauthorized users gaining access to network resources and proprietary information. Encryption, authentication, and access control guard against these security breaches.

Key components of VPN security are as follows:

- Tunnels and encryption
- Packet authentication
- Firewalls and intrusion detection
- User authentication

These mechanisms complement each other, providing security at different points throughout the network. VPN solutions must offer each of these security features to be considered a viable solution for utilizing a public network infrastructure.
Let’s start by looking at tunnels and encryption. We’re going to look in detail at Layer 2 Tunneling Protocol (L2TP), Generic Routing Encapsulation (GRE), for tunnel support, as well as the strongest standard encryption technologies available--- IPSec, DES and 3DES.

Tunneling: L2F/L2TP

Layer 2 Forwarding (L2F) enables remote clients to gain access to corporate networks through existing public infrastructures, while retaining control of security and manageability. Cisco has submitted this new technology to the IETF for approval as a standard. It supports scalability and reliability features as discussed in later sections of this document.

L2F achieves private network access through a public system by building a secure "tunnel" across a public infrastructure to connect directly to a home gateway. The service requires only local dialup capability, reducing user costs and providing the same level of security found in private networks.

Using L2F tunneling, service providers can create a virtual tunnel to link customer remote sites or remote users with corporate home networks. In particular, a network access server at the POP exchanges PPP messages with the remote users and communicates by L2F requests and responses with the customer's home gateway to set up tunnels. L2F passes protocol-level packets through the virtual tunnel between endpoints of a point-to-point connection.

Frames from remote users are accepted by the service provider POP, stripped of any linked framing or transparency bytes, encapsulated in L2F, and forwarded over the appropriate tunnel. The customer's home gateway accepts these L2F frames, strips the L2F encapsulation, and processes incoming frames for the appropriate interface.

Layer 2 Tunneling Protocol (L2TP) is an extension to PPP. It is a draft IETF standard derived from Cisco L2F and Microsoft Point-to-Point Tunneling Protocol (PPTP). L2TP delivers a full range of security control and policy management features, including end-user security policy control. Business customers have ultimate control over permitting and denying users, services, or applications.

Tunneling: Generic Route Encapsulation (GRE)

GRE, or Generic Routing Encapsulation, is the standard solution for Service Providers that have an established IP network and want to provide managed IP VPN services.

One of the most significant advantages of this approach is that Service Providers can offer application-level QoS. This is possible because the routers still have visibility into the additional IP header information needed for fine-grained QoS (this is hidden in an IPSec packet).

Traffic is restricted to a single provider’s network, allowing end-to-end QoS control. This restriction of “on-net only” traffic also allows the GRE tunnels to remain secure without using encryption. Customers who require greater levels of security can still use “on-demand” application-level encryption such as secure connections in a web browser. The entire connection may be encrypted, but at the cost of QoS granularity.

In summary, GRE offers:

- Encryption-optional tunneling.
- Fine-grained QoS service capabilities, including application-level QoS.
- IP-level visibility makes this the platform of choice for building value-added services such as application-level bandwidth management.

What Is IPSec?

IPSec provides IP network-layer encryption.

IPSec is a standards-based technology that governs security management in IP environments. Originally conceived to solve scalable security issues in the Internet, IPSec establishes a standard that lets hardware and software products from many vendors interoperate more smoothly to create end-to-end security. IPSec provides a standard way to exchange public cryptography keys, specify an encryption method (e.g., data encryption standard (DES) or RC4), and specify which parts of packet headers are encrypted.

What is Internet Key Exchange (IKE)?

IPSec assumes that a security association is in place, but does have a mechanism for creating that association. The IETF chose to break the process into two parts: IPSec provides the packet level processing while IKE negotiates security associations. IKE is the mechanism IPSec uses to set up SAs
IKE can be used for more than just IPSec. IPSec is its first application. It can also be used with S/Mime, SSL, etc.

IKE does several things:

- Negotiates its own policy. IKE has several methods it can use for authentication and encryption. It is very flexible. Part of this is to positively identify the other side of the connection.
- Once it has negotiated an IKE policy, it will perform an exchange of key-material using authenticated Diffie-Hellman.
- After the IKE SA is established, it will negotiate the IPSec SA. It can derive the IPSec key material with a new Diffie Hellman or by a permutation of existing key material.

Summarize that IKE does these 3 things:

- Identification
- Negotiation of policy
- Exchange key material

IPSec VPN Client Operation

Now that you understand both IPSec and IKE, let’s look at what really happens from the client’s perspective.
An IPSec client is a software component that allows a desktop user to create an IPSec tunnel to a remote site. IPSec provides privacy, integrity, and authenticity for VPN client operations. With IPSec, no one can see what data you are sending and no one can change it.
What’s input by a remote user dialing in via the public Internet is encrypted all the way to corporate headquarters with an IPSec client to a router at the home gateway.

Here’s how it works.

First, the remote user dials into the corporate network. The client uses either an X.509 or one-time password with a AAA server to negotiate an Internet Key Exchange. Only after it’s authenticated is a secure tunnel created.
Then all data is encrypted.

IPSec is transparent tot he network infrastructure and is scalable from very small applications to very large networks. As you can see, this is an ideal way to connect remote users or telecommuters to corporate networks in a safe and secure environment.

L2TP and IPSec Are Complementary

Another thing that people often get confused about is the relationship between L2TP and IPSec. Remember that L2TP is Layer 2 Tunneling Protocol. Some people think that the two technologies are exclusive of each other. In fact, they are complementary.

So you can use both of these together. IPSec can create remote tunnels. L2TP can provide tunnel and end-to-end authentication.
So IPSec is going to maintain the encryption, but often times you want to tunnel non-IP traffic in addition to IP traffic.
L2TP can be useful for that.

Encryption: DES and 3DES

DES stands for Data Encryption Standard. It is a widely adopted standard created to protect unclassified computer data and communications. DES has been incorporated into numerous industry and international standards since its approval in the late 1970s.

DES and 3DES are strong forms of encryption that allow sensitive information to be transmitted over untrusted networks. They enable customers to utilize network layer encryption.

The encryption algorithm specified by DES is a symmetric, secret-key algorithm. Thus it uses one key to encrypt and decrypt messages, on which both the sending and receiving parties must agree before communicating. It uses a 56-bit key, which means that a user must correctly employ 56 binary numbers, or bits, to produce the key to decode information encrypted with DES.

DES is extremely secure, however, it has been cracked on several occasions by chaining hundreds of computers together at the same time; but even then, it took a very long time to break. This led to the development of Triple DES which uses a 168-bit algorithm.

Firewalls

A critical part of an overall security solution is a network firewall, which monitors traffic crossing network perimeters and imposes restrictions according to security policy. In a VPN application, firewalls protect enterprise networks from unauthorized access to computing resources and network attacks, such as denial of service. Furthermore, for authorized traffic, a VPN firewall verifies the source of the traffic and prescribes what access privileges users are permitted.

User Authentication

A key component of VPN security is making sure authorized users gain access to enterprise computing resources they need, while unauthorized users are shut out of the network entirely. AAA services (that stands for authentication, authorization, and accounting) provide the foundation to authenticate users, determine access levels, and archive all the necessary audit and accounting data. Such capabilities are paramount in the dial access and extranet applications of VPNs.

VPNs and Quality of Service

So how does QoS play a role in VPNs? Well, the goal of QoS is to control the utilization of bandwidth so that you can support mission critical applications. Here’s how it works. The customer premises equipment or CPE assigns packet priority based on the network policy. Packets are marked and bandwidth is managed so that the VNP WAN links don’t choke out the important traffic.
One example of this could be an employee watching television off the Internet to his PC where the video traffic clogs a small 56K WAN line making it impossible for mission critical financial application data to pass.
With QoS, you can take advantage of the service providers differentiated services to maximize network resources and minimize congestion at peak times.
For example, e-mail traffic doesn’t care about latency, but video and mission-critical applications do. Some components of bandwidth management/QoS that apply to VPNs are as follows:

- Packet classification---assigns packet priority based on enterprise network policy

- Committed access rate (CAR)---provides policing and manages bandwidth based on applications and/or users according to enterprise network policy

- Weighted Random Early Detection (WRED)---complements TCP in predicting and managing network congestion on the VPN backbone, ensuring predictable throughput rates

These QoS features complement each other, working together in different parts of the VPN to create a comprehensive bandwidth management solution. Bandwidth management solutions must be applied at multiple points on the VPN to be effective; single point solutions cannot ensure predictable performance.

Access, Intranet, and Extranet VPNs

Let’s look now at the three types of VPNs.

Three Types of VPNs

As previously stated, VPN is defined as customer connectivity deployed on a shared infrastructure with the same policies as a private network. The shared infrastructure can leverage a service provider IP, Frame Relay, or ATM backbone, or the Internet. Cisco defines three types of virtual private networks according to how businesses and organizations use VPNs:

Access VPNs provide remote connectivity to telecommuters and mobile users. They’re typically an alternative to dedicated dial or ISDN connections. They offer users a range of connectivity options as well as a much lower cost solution.

Intranet VPNs link corporate headquarters, remote offices, and branch offices over a shared infrastructure using dedicated connections. The VPN typically is an alternative to a leased line. It provides the benefit of extended connectivity and lower cost.

Extranet VPNs link customers, suppliers, partners, or communities of interest to a corporate intranet over a shared infrastructure using dedicated connections. In this example, the VPN is often an alternative to fax, snail mail, or EDI. The extranet VPN facilitates e-commerce.

Access VPNs Let’s look at the Access VPN in more detail.

Access VPNs

Remote access VPNs extend the corporate network to telecommuters, mobile workers, and remote offices with minimal WAN traffic. They enable users to connect to their corporate intranets or extranets whenever, wherever, or however they require. Remote access VPNs provide connectivity to a corporate intranet or extranet over a shared infrastructure with the same policies as a private network. Access methods are flexible---asynchronous dial, ISDN, DSL, mobile IP, and cable technologies are supported. Migrating from privately managed dial networks to remote access.

VPNs offers several advantages, most notably:

- Reduced capital costs associated with modem and terminal server equipment

- Ability to utilize local dial-in numbers instead of long distance or 800 numbers, thus significantly reducing long distance telecommunications costs

- Greater scalability and ease of deployment for new users added to the network

- Restored focus on core corporate business objectives instead of managing and retaining staff to operate the dial network

Access VPN Operation Overview

In an Access VPN environment, the most important aspect of security revolves around identifying a user as a member of an approved customer company and establishing a tunnel to its home gateway, which handles per-user authentication, authorization, and accounting (AAA).

User authentication is a critical characteristic of an Access VPN. Through a local point of presence (POP), a client establishes communication with the service provider network (1), and secondarily establishes a connection with the customer network (2).
The Access VPN tunnel end points authenticate each other (3).
Next, the user connects to the customer premises equipment (CPE) home gateway server (local network server) using PPP or SLIP (4) and is authenticated through a username/password handling protocol such as PAP, CHAP, or TACACS+.
The home gateway maintains a relationship with an access control server (ACS), also known as an AAA server, using TACACS+ or RADIUS protocols. At this point, authorization is set up using the policies stored in the ACS and communicated to the home gateway at the customer premises (5).
Often, the customer administrates the ACS server, providing ultimate and centralized control of who can access its network as well as which servers can be accessed. User profiles define what the user can do on the network. Using authorization profiles, the network creates a "virtual interface" for each user. Access policies are enforced using Cisco IOS software specific to each interface.

Access VPN Basic Components

An access VPN has two basic components:

L2TP Network Server (LNS): A device such as a Cisco router located in the customer premises. Remote dial users access the home LAN as if they were dialed into the home gateway directly, although their physical dialup is via the ISP network access server. Home gateway is the Cisco term for LNS.

An LNS operates on any platform capable of PPP termination. LNS handles the server side of the L2TP protocol. Because L2TP relies only on the single media over which L2TP tunnels arrive, LNS may have only a single LAN or WAN interface, yet still be able to terminate calls arriving at any LAC's full range of PPP interfaces (async, synchronous ISDN, V.120, and so on). LNS is the initiator of outgoing calls and the receiver of incoming calls. LNS is also known as HGW in L2F terminology.

L2TP Access Concentrator (LAC): A device such as a Cisco access server attached to the switched network fabric (for example, PSTN or ISDN) or colocated with a PPP end system capable of handling the L2TP protocol. An LAC needs to only implement the media over which L2TP is to operate to pass traffic to one or more local network servers (LNSs). It may tunnel any protocol carried within PPP. LAC is the initiator of incoming calls and the receiver of outgoing calls. LAC is also known as NAS in L2F.

Client-Initiated Access VPN

There are two types of Access VPNs. Essentially they are dedicated or dial.

With a dedicated or client-initiated Access VPNs, users establish an encrypted IP tunnel from their clients across a service provider's shared network to their corporate network.
With a client-initiated architecture, businesses manage the client software tasked with initiating the tunnel. Client-initiated VPNs ensure end-to-end security from the client to the host. This is ideal for banking applications and other sensitive business transactions over the Internet.
With client-initiated VPN Access, the end user has IPSec client software installed at the remote site, which can terminate into a firewall for termination into the corporate network. IPSec and IKE and certificate authority are used to generate the encryption, authentication, and certificate keys to be used to ensure totally secure VPN solutions.

Client-Initiated VPNs

An advantage of a client-initiated model is that the "last mile" service provider access network used for dialing to the point of presence (POP) is secured. An additional consideration in the client-initiated model is whether to utilize operating system embedded security software or a more secure supplemental security software package. While supplemental security software installed on the client offers more robust security, a drawback to this approach is that it entails installing and maintaining tunneling/encryption software on each client accessing the remote access VPN, potentially making it more difficult to scale.

NAS-Initiated Access VPN

In a NAS-initiated scenario, client software issues are eliminated. A remote user dials into a service provider's POP using a PPP/SLIP connection, is authenticated by the service provider, and, in turn, initiates a secure, encrypted tunnel to the corporate network from the POP using L2TP or L2F. With a NAS-initiated architecture, all VPN intelligence resides in the service provider network---there is no end-user client software for the corporation to maintain, thus eliminating client management burdens associated with remote access. The drawback, however, is lack of security on the local access dial network connecting the client to the service provider network. In a remote access VPN implementation, these security/management trade-offs must be balanced.

NAS-Initiated VPNs

Pros: NAS-initiated Access VPNs require no specialized client software, allowing greater flexibility for companies to choose the access software that best fits their requirements. NAS solutions use robust tunneling protocols such as Cisco L2F or L2TP.

IPSec provides encryption only, in contrast with the client-initiated model where IPSec enables both tunneling and encryption. Premium service examples include reserved modem ports, guarantees of modem availability, and priority data transport.

The NAS can simultaneously be used for Internet as well as VPN access.

All traffic to a given destination travels over a single tunnel from a NAS, making larger deployments more scalable and manageable.

Con: NAS-initiated Access VPN connections are restricted to POPs that can support VPNs.