VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui

Virtual Private Network (VPN)  a private network constructed within a public network infrastructure, such as the global Internet  two categories of VPNs A remote access VPN enables remotely located employees to communicate with a central location. Site-to-site VPN interconnects two private networks via a public network such as the Internet

Protocols used by VPN Point-to-Point-Tunneling Protocol (PPTP)  simple VPN technology based on point-to-point protocol  supports multiple encapsulation, authentication, and encryption. Layer 2 Tunneling Protocol (L2TP)  combination of PPTP and Layer 2 Forwarding (L2F)  Two types of L2TP L2TP Access Concentrator (LAC) L2TP Network Server (LNS) Internet Protocol Security (IPSec)  framework for protecting the confidentiality and integrity of data in transit  A common use of IPSec is the construction of a VPN

IPSec Protocols  IPSec defines new set of headers to be added to IP datagrams  ESP - Confidentiality, data integrity, and data source authentication. (frc2406)  AH - Data integrity, source authentication (frc2402) IP HeaderESP HeaderProtected Data ESP Trailer IP HeaderAH HeaderProtected Data

IPSec Modes Transport Mode  Protect upper-layer protocol, endpints exposed  IPSec header insert between IP header and upper layer protocol header Tunnel Mode  Entire IP Packet is protected, become payload of new packet  IPSec header is inserted between the outer and inner IP header.  Used by gateway for VPN, perform encryption on behalf of host IPSec SA  Relationship between entities on how to communicate securely.  Unidirectional, two for each pair, one from A to B, and B to A  Identified by a SPI, destination addr, security protocol identifier

IPSec Phases SPD  Security Policy Database maintains IPSec Policy  Each entry defines the traffic to be protected, how to protect  Three actions on traffic match: discard, bypass and protect  IP traffic mapped to IPSec policy by selector IKE  Establish security parameters, authentication (SAs) between IPSec peers  IKE SAs defines the way in which two peers communicate, which algorithm to use to encrypt IKE traffic, how to authenticate the remote peers.  SPD instruct IKE what to establish, IKE establish IPSec SAs based on its own policy settings Phase 1 communication  Identify the peers.  Create IKE SAs by authentication and key exchange  One side offers a set of algorithm, other side accept or reject. Derive key material to use for IPSec with AH, ESP or both Phase 2 communication  IPSec SAs negotiations are under protection of IKE SAs created in phase 1  IPSec shared key derived by using Diffie-Hellman or refresh shared secret.

VPN Solutions  Access VPN offers remote access to a company’s Intranet or Extranet. Example: employees who are on business trip or in home office  Intranet VPN offers the Intranet connection. Example: Branch offices  Extranet VPN offers the Extranet connection. Example: Business partners, customers

VPN Solutions – Benefits Access VPN  Economical: Internet access Vs. long distance dialup  Secure Intranet VPN  Economical: ISP Vs. dedicated connection  Flexible: topological design, new office  Reliable: Redundant ISP  Secure Extranet VPN  Same as Intranet VPN  Management, Authentication and authorization

VPN Example

VPN Example - Extranet VPN

Conclusion  Cheaper and Secure, Go for it!

Q & A Any questions?