Advantages of VPN
Cost savings: Using private networks used to be the only solution for WAN connectivity. However, it was expensive and not always feasible, not easily scalable, and lacked security features. A VPN solution making use of the Internet is an inexpensive alternative, allowing the full advantage of cost savings of the Internet and providing a superior level of security.
Smooth and Seamless Integration: VPN allows seamless integration with the existing network infrastructure. There is no need to change your network architecture or any network software component.
Secure Remote Access: One of the primary objectives of the VPN is to provide remote users secured access to the organization’s trusted network. VPN technology allows the same connectivity whether it is network to network, host to host, client to server, dial-up connections, or home office or mobile users.
Extranet Connections: In today’s global economy, most organizations have one or more partners for mutual growth and success of the business. Companies have to connect to their external partners to share certain information, sometimes even critical, confidential information. Hence, they need to have a secured connection between the two partners. VPN solutions allow secured connection between the two parties allowing even proprietary information to be shared.
Low Maintenance: VPN eliminates much of the day-to-day maintenance such as key management and SNMP.
Remote Access (host-to-site) VPN
Site-to-site (intranet and extranet) VPN
Remote Access (Host-to-Site) VPN
Site-to-Site (Intranet and Extranet) VPN
Intranet-based VPN – A company with a small number of remote offices, wishing to connect all of them together to make it into a single network can use this type of connection. A seamless connection is established between all the remote branches of the company which helps in sharing of systems and network resources. This gives the feeling that all the different networks of the various branches are one single network.
Extranet-based VPN – A company may wish to connect with its partner’s network. One company’s LAN is connected with another company’s LAN to share certain information across the companies for better business relationships and processes. For example, in case of supply chain relationship, companies allow their partners to connect to their network to share the database and other relevant information. The extranet-VPN allows the companies to share certain information with their partners, such as just a customer database application and nothing else. If the team working on this database application consists of 10 people from one company and 5 people from the partner company, then a secure VPN is created only between this small network of 10 systems and the other 5 systems. No other network resources are shared except for the database application. It allows the companies to work together in a secure and shared environment while still allowing their internal network to be secure and available for only the internal users.
VPN and Firewall
Data Authentication and Data Integrity
Internet Protocol Security (IPSec)
Point to Point Transport Protocol (PPTP)
Generic Routing Encapsulation (GRE) Or IP Tunneling
Layer Two Protocol (L2TPv3)
Multi-Protocol Label Switch (MPLS)
The Secure Socket Layer (SSL)
Point to Point Transport Protocol (PPTP) Tunneling Protocol
PAP – The Password Authentication Protocol (PAP) provides a simple method for the peer to establish a connection by simple two-way handshake as soon as the link is established.3
PAP is not a strong authentication method. Passwords are sent over the link in a clear text (plain text) format, and there is no protection against playback or repeated packet attacks.
CHAP – This is another protocol for authentication. The Challenge-Handshake Authentication Protocol (CHAP) is used to verify the identity of the remote user by a three-way handshake. After the link is established, the server sends the “challenge” message to the remote user, which becomes the first handshake. The remote user responds to the “challenge” using a one-way hash, which is the second handshake. If the response matches, then the authentication is acknowledged and a connection is established, which is the third handshake. Otherwise the connection is terminated. The CHAP protocol protects the network from playback or repeated packet attacks and controls the frequency and timings of the challenges.4
MS-CHAP – Microsoft CHAP
MS-CHAPv2 – Microsoft CHAP version 2 (and later versions)
Extensible Authentication Protocol (EAP)
Layer Two Tunneling Protocol (L2TPv3)
Generic Routing Encapsulation (GRE)
Internet Protocol Security (IPSec)
Security Protocols – Authentication Header (AH) and Encapsulating Security Payload (ESP)
Security Associations – what they are and how they work, how they are managed, and associated processing
Key Management – manual and automated (The Internet Key Exchange (IKE))
Cryptographic algorithms for authentication and encryption
IPSec Tunnel and Transport Modes
Tunnel mode: is used between two gateways, or between a host and a gateway, with the gateway acting as a proxy for the host behind it.
The Authentication Header (AH)
The Encapsulation Security Protocol (ESP)
Internet Key Management (IKE)
MPLS (Multi-Protocol Label Switching)
MPLS forwarding can be done by L2 layer switches which have capabilities to read MPLS labels but are not capable of analyzing L3 (network) layer headers
Quality of Service (QoS) - MPLS allows prioritization of traffic, allowing high-priority traffic first on the network then the lower-priority traffic. MPLS networks assign higher priority for latency-sensitive applications like voice and video over less-sensitive applications
Improved performance, reliability, and efficiency of the network
MPLS VPNs and VPLS services enable multiple sites to connect seamlessly
MPLS VPN Security
Ingress SP router assigns a unique VPN ID to each destination thus ensuring private connection between two users
Any other packet entering the MPLS backbone network without a label or a different label not in the MPLS network will be discarded
SP routers can use the MD5 or similar technique to encrypt the labels of MPLS thus providing additional security
If the customer wants to send data that is very sensitive and must be protected, then IPSec or similar protocol can be adopted
Important IETF Standards and RFCs for VPN Implementation
VPN Protocol Category
Description of RFC
Layer Two Tunneling Protocol (L2TP)
Point-to-Point Tunneling Protocol (PPTP)
2890 (Obsolete 2784)
Generic Routing Encapsulation
4303 (Obsolete 2406)
Encapsulating Security Payload (ESP)
4302 (Obsolete 2402)
IP Authentication Header
4301 (updated 6301)
Security Architecture for the Internet Protocol
IP Security Roadmap
A Framework for IP Based Virtual Private Network
Using IPSec to Secure IPV6-in-IPV4 Tunnels
Mobile IPV4 Traversal across IPSec-Based Gateways
IPSec Key Exchange
Internet Key Exchange Protocol (IKEv2)
Internet Security Association and Key Management Protocol (ISAKMP)
Internet Key Exchange (IKE)
OAKLEY Key Determination Protocol
Analysis of the Security of BGP/MPLS IP Virtual Private Networks (VPNs)
BGP/MPLS IP Virtual Private Networks (VPNs)
Security Framework for Provider-Provisioned Virtual Private Networks (PPVPNs)
The ESP DES-CBC Cipher Algorithm With Explicit IV
HMAC: Keyed-Hashing for Message Authentication
The Use of HMAC-MD5-96 within ESP and AH
The NULL Encryption Algorithm and Its Use with IPsec
IP Payload Compression Protocol (IPComp)
IP Payload Compression Using ITU-T V.44 Packet Method
The AES-CBC Cipher Algorithm and Its Use with IPSec
Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)
The SEED Cipher Algorithm and Its Use with IPsec
Use of Hash Algorithms in Internet Key Exchange (IKE) and IPsec
The Camella Cipher Algorithm and Its Use with IPsec
The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)
The Advanced Encryption Standard-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) Algorithm for the Internet Key Exchange Protocol (IKE)
US Secure Hash Algorithms (SHA and HMAC-SHA)
Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-512 with IPsec.
A Few Final Thoughts about VPN
Authentication and Data Integrity
VPN accelerator devices should support keys that are sufficiently long enough. A 128-bit key is certainly long enough but not all the devices support it.
Even with the VPN technologies, it is possible for a hacker to insert bits into the data stream during transmission. IPSec has a mechanism to detect data integrity whereas others may have limitations in this area.
It is important for the end devices to interoperate. IPSec at both ends should support the same type of AH and ESP algorithms and key length. Otherwise, communication itself may not be able to be established.
The business need for connecting to organizational data centers securely from outside teams, such as sales and marketing and logistics, was explored. As most of the information that’s transmitted needs to be secure, we looked into the option of having a dedicated line. We discussed how it is costly to have and maintain a dedicated line. We also discussed the disadvantages of having a dedicated line. Then we discussed a cheaper alternative, Virtual Private Network (VPN), which allows for the privacy, integrity, and authenticity of the data being transmitted by the internal team resources from outside the organization. VPN is a secure tunnel created between outside trusted partners including the internal workers working from outside the organizational boundaries and the internal networks.
We looked into the benefits of VPNs, including cost savings, smooth and seamless integration, secure remote access, extranet connections, and low maintenance.
We discussed the two important types of VPNs: Remote Access (Host to Site) and Site to Site. We discussed how Remote Access VPNs help the organizational work force operating from outside the organization to connect securely to the corporate LAN. We also looked into how this is implemented and how a secure tunnel is established to the external workforce and the organizational internal network, after authentication to the VPN gateway. Then we explored how site-to-site VPNs help one branch office to connect to the other branch office or headquarters and how this is established through the handshake between two VPN gateways at two ends. Then we looked into two types of site-to-site VPNs: intranet-based VPNs and extranet-based VPNs. We also looked briefly into how host-to-host VPNs work.
We also discussed how VPN protocol architecture supports tunneling, data authentication, data integrity, data encryption, and anti-replay services. We then explored each of the protocols like point to point transport protocol (PPTP), layer two tunneling protocol (L2TPv3), generic routing encapsulation (GRE) tunneling protocol, and Internet protocol security (IPSec) in detail. We also looked into the need for Internet key management and how it is ensured.
Finally, we highlighted some of the points to be kept in mind when designing the VPN technology.