VPN

Seminar Report

submitted for the degree of

master of

computer applications

macs department

NATIONAL INSTITUTE OF TECHNOLOGY KARNATAKA

surathkal mangalore

FEB 2015

submitted by: submitted to:

ATUL BILUNG Mrs. Sujatha D Achar

13ca15 Mr. Suresh Kumar

mca iv Semester

DECLARATION

I hereby declare that the seminar report entitled VPN which is be-

ing submitted to the National Institute Of Technology Kar nataka,

Surathkal, in partial fulfillment of the requirements for mandatory

learning course(MLC) of master of computer applications in the de-

partment of mathematical and computational sciences, is a bonafide

report of the work prepared by me. This material is collected from

various sources with utmost care and is based on facts and truth.

NAME - ATUL BILUNG

ROLL NO. 13CA15

MCA 4th Sem

PLACE -NITK, SURATHKAL

CERTIFICATE

This is to certify that the P.G. Seminar Report entitled VPN sub-

mitted by ATUL BILUNG (ROLL NO. 13CA15 ) as the record

of the work carried out by them is accepted as the P.G. Seminar

Work Report submission in partial fulfillment of the requirements

for mandatory learning course of Master of Computer Application

in the Department of Mathematical and Computational Sciences.

ABSTRACT

Virtual Private Networks is a concept introduced to imple-

ment global Wide Area Network(WAN) on the Internet. This way

enormous costs involved in the traditional implementation of these

networks i.e. through dedicated lines or satellite links is reduced

considerably. A way to maintain fast, secure and reliable communi-

cations is attained wherever the offices are.

In the VPN, Internet is used as the data pipelined replacing the tra-

ditional datalines. This approach is just right for small and medium

sized business firms. Now, many companies are creating their own

VPN (virtual private network) to accommodate the needs of remote

employees and distant offices. Each remote member of your network

can communicate in a secure and reliable manner using the Internet

as the medium to connect to the private LAN, by simply making

a contract with the ISP. A VPN can grow to accommodate more

users and different locations much easier than a leased line. In fact,

scalability is a major advantage that VPNs have over typical leased

lines. Unlike with leased lines, where the cost increases in propor-

tion to the distances involved, the geographic locations of each office

matter little in the creation of a VPN.

Contents

1 Introduction 1

2 What Makes a VPN? 2

3 Types of VPN: 2

3.1 Remote-Access VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

3.2 Site-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3.3 Extranet VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

4 TYPES OF VPN PRODUCT 5

5 VPN SECURITY 6

6 Security 6

6.1 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

6.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

6.3 Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

6.4 Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

7 Conclusion 10

8 References 11

List of Figures

1 Remote Acess Before VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Remote Acess After VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

3 Site to Site Before VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

4 Site to Site After VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

5 Extranet VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

6 The Passenger,Capsule and Carrier in the 7 Layer OSI model . . . . . . . . . . . 9

Virtual Private Network

1 Introduction

VPN (Virtual Private Network) is a generic term used to describe a com-

munication network that uses any combination of technologies to secure a connec-

tion tunnelled through an otherwise unsecured or untrusted network. Instead of

using a dedicated connection, such as leased line, a virtual connection is made

between geographically dispersed users and networks over a shared or public net-

work, like the Internet. Data is transmitted as if it were passing through private

connections.

VPN transmits data by means of tunnelling. Before a packet is transmitted, it is

encapsulated (wrapped) in a new packet, with a new header. This header provides

routing information so that it can traverse a shared or public network, before it

reaches its tunnel endpoint. This logical path that the encapsulated packets travel

through is called a tunnel. When each packet reaches the tunnel endpoint, it is

decapsulated and forwarded to its final destination. Both tunnel endpoints need

to support the same tunnelling protocol. Tunnelling protocols are operated at

either the OSI (Open System Interconnection) layer two (data-link layer), or layer

three (network layer). The most commonly used tunnelling protocols are IPsec,

L2TP, PPTP and SSL. A packet with a private non-routable IP address can be

sent inside a packet with globally unique IP address, thereby extending a private

network over the Internet.

My Definition: Basically a VPN is a private network that uses a public network

(usually the Internet) to connect remote sites or users together. Instead of using

a dedicated, real-world connection such as leased line, a VPN uses virtual con-

nections routed through the Internet from the companys private network to the

remote site or employee.

1

2 What Makes a VPN?

A well-designed VPN can greatly benefit a company. For example, it can:

Extend geographic connectivity

Improve security

Reduce operational costs versus traditional WAN

Reduce transit time and transportation costs for remote users

Improve productivity

Simplify network topology

Provide global networking opportunities

Provide telecommuter support

Provide broadband networking compatibility

Provide faster ROI (return on investment) than traditional WAN

A well-designed VPN should have the following features:

It should incorporate:

Security

Reliability

Scalability

Network management

Policy management

3 Types of VPN:

1. Remote-Access VPN

2. Site-to-Site VPN

3. Extranet VPNs

2

3.1 Remote-Access VPN

Remote-access, also called a virtual private dial-up network (VPDN), is a user-

to-LAN connection used by a company that has employees who need to connect

to the private network from various remote locations. Normally, a company that

wishes to set up a large remote-access VPN will outsource to an enterprise service

provider (ESP). The ESP sets up a network access server (NAS) and provides the

remote users with desktop client software for their computers. The telecommuters

can then dial a Low Call or Free number (0800, 0500 etc) to reach the NAS and

use their VPN client software to access the corporate network.

Figure 1: Remote Acess Before VPN

Figure 2: Remote Acess After VPN

3

3.2 Site-to-Site VPN

Site-to-Site VPNs are an alternative WAN infrastructure that used to connect

branch offices, home offices, or business partners sites to all or portions of a com-

panys network. VPNs do not inherently change private WAN requirements, such

as support for multiple protocols, high reliability, and extensive scalability, but

instead meet these requirements more costeffectively and with greater flexibility.

A company can connect multiple fixed sites over a public network such as the

Internet through the use of dedicated equipment and large-scale encryption.

Site-to-site VPNs can be one of two types:

Intranet-based - If a company has one or more remote locations that they wish

to join in a single private network, they can create an intranet VPN to connect

LAN to LAN.

Extranet-based - When a company has a close relationship with another com-

pany (for example, a partner, supplier or customer), they can build an extranet

VPN that connects LAN to LAN, and that allows all of the various companies to

work in a shared environment.

Figure 3: Site to Site Before VPN

Figure 4: Site to Site After VPN

4

3.3 Extranet VPN

Extranet VPNs link customers, suppliers, partners, or communities of interest

to a corporate Intranet over a shared infrastructure using dedicated connections.

Businesses enjoy the same policies as a private network, including security, QoS,

manageability, and reliability.

Figure 5: Extranet VPN

4 TYPES OF VPN PRODUCT

VPNs can be broadly categorised as follows:

1. A firewall-based VPN is one that is equipped with both firewall and VPN

capabilities. This type of VPN makes use of the security mechanisms in

firewalls to restrict access to an internal network. The features it provides in-

clude address translation, user authentication, real time alarms and extensive

logging.

2. A hardware-based VPN offers high network throughput, better performance

and more reliability, since there is no processor overhead. However, it is also

more expensive.

5

3. A software-based VPN provides the most flexibility in how traffic is managed.

This type is suitable when VPN endpoints are not controlled by the same

party, and where different firewalls and routers are used. It can be used with

hardware encryption accelerators to enhance performance.

4. An SSL VPN allows users to connect to VPN devices using a web browser.

The SSL (Secure Sockets Layer) protocol or TLS (Transport Layer Security)

protocol is used to encrypt traffic between the web browser and the SSL VPN

device. One advantage of using SSL VPNs is ease of use, because all standard

web browsers support the SSL protocol, therefore users do not need to do any

software installation or configuration.

5 VPN SECURITY

VPN uses encryption to provide data confidentiality. Once connected, the VPN

makes use of the tunnelling mechanism described above to encapsulate encrypted

data into a secure tunnel, with openly read headers that can cross a public network.

Packets passed over a public network in this way are unreadable without proper

decryption keys, thus ensuring that data is not disclosed or changed in any way

during transmission.

VPN can also provide a data integrity check. This is typically performed using

a message digest to ensure that the data has not been tampered with during

transmission.

By default, VPN does not provide or enforce strong user authentication. Users

can enter a simple username and password to gain access to an internal private net-

work from home or via other insecure networks. Nevertheless, VPN does support

add-on authentication mechanisms, such as smart cards, tokens and RADIUS.

6 Security

Nearly all VPNs share three fundamental security features:

1. Authentication

2. Encryption

3. Tunneling

6

As we mentioned earlier, traveling in forest could be dangerous without the pro-

tection of a vehicle. The internet is similar in that private data sent though the

public networks without protection of tunneling could be stolen, intercepted, and

corrupted.

6.1 Authentication

Before establishing a secure channel for data transmission (encryption and tun-

neling), one must first authenticate both endpoints of the tunnel. This means

proving the identity of both the client and the server.

6.2 Encryption

All modern VPNs use encryption to scramble data into cipher-text before sending

the packets of data through the Internet. When the data packets arrive at their

destination, they are decrypted into readable text by the recipient.

There are two basic types of cryptography: 1) symmetric and 2) asymmetric.

Asymmetric cryptography is more complex than symmetric and utilizes math-

ematically related public and private key pairs. This method is often used for

smaller, more sensitive packets of data such as during authentication.

Symmetric cryptography has performance edge over asymmetric cryptography.

Thus, it is commonly used in the tunneling process to exchange larger packets

of data between two parties who have already authenticated each other using

asymmetric cryptography.

VPN commonly uses asymmetric encryption to exchange keys and symmetric

encryption to exchange data. Asymmetric systems are more secure, but symmetric

systems have better performance. Both the client and server use asymmetric key

exchange to generate a private key. Then they derive a symmetric public key from

the private one to send the public key to each other. Each VPN endpoint now has

its own private key as well as the other endpoints public key.

6.3 Tunneling

VPN technology is based on the idea of tunneling. In brief, tunneling is the process

of placing an entire packet within another packet and sending it over a network.

7

Tunneling is comprised of three parts:

1. The Passenger

2. The Capsule

3. The Carrier

The Passenger is the actual data being transmitted. The Capsule is the encrypting

protocol being used such as PPTP, IPSec or L2TP. The Carrier is the transport

protocol such as TCP/IP, NetBEUI, NetBIOS, or IPX over which the data is sent.

6.4 Tunneling Protocols

There are currently three major tunneling protocols for VPNs. They include the

Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPSec),

and Layer 2 Tunneling Protocol (L2TP).

These three protocols are incompatible with each other.

1. Point-to-Point Tunneling Protocol (PPTP): is based on the Point-

to-Point-Protocol (PPP) which supports non-IP protocols such as NetBEUI,

Appletalk, and IPX/SPX. PPTP exists at the Data Link layer of the OSI

model as seen in Figure 6. PPTP supports 128-bit encryption and will use

any authentication scheme supported by PPP.

2. Internet Protocol Security (IPsec): is the second most popular VPN

protocol. It supports stronger encryption than PPTP. IPsec exists at the

Network Layer of the OSI model as seen in Figure 6. IPSec has two en-

cryption modes: tunnel and transport. Tunnel encrypts the header and the

payload of each packet while transport only encrypts the payload. IPSec can

encrypt data between routers, between clients and routers, between routers

and firewalls, and between clients and servers.

3. Layer Two Tunneling Protocol (L2TP): is a protocol implemented pri-

marily in Cisco products. Like PPTP, L2TP exists at the Data Link layer of

the OSI model as seen in Figure 6. L2TP can be used as a tunneling protocol

for site-to-site and remote access VPNs. L2TP can create a tunnel between

routers, between a NAS and a router, and between a client and a router.

8

Figure 6: The Passenger,Capsule and Carrier in the 7 Layer OSI model

9

7 Conclusion

VPN provides a means of accessing a secure, private, internal network over insecure

public networks such as the Internet. A number of VPN technologies have been

outlined, among which IPsec and SSL VPN are the most common. Although a

secure communication channel can be opened and tunneled through an insecure

network via VPN, client side security should not be overlooked.

VPN is a powerful tool that increases company and individual productivity. It

increases productivity because employees are no longer restricted to the company

campus. This allows the company to expand its reach and project itself into

global markets. However, Network Administrators should grant VPN access to

users with a certain level of discretion. Companies should develop and enforce

security policies that list requirements that must be met by employees to qualify

for remote VPN access.

10

8 References

http://www.cisco.com/warp/public/779/largeent/design/vpn.html

http://en.wikipedia.org/wiki/Virtual private network

http://gizmodo.com/5990192/vpns-what-they-do-how-they-work-and-why-youre-dumb-for-not-using-one

http://computer.howstuffworks.com/vpn7.htm

11

Seminar-Front.pdfabstract.pdfseminar.pdf