Title: Performance Evaluation for Remote Access VPNs on Windows Server 2003
1Performance Evaluation for Remote Access VPNs on
Windows Server 2003
ByAhmed A. Jaha Fathi Ben ShatwanMajdi Ashibani
2Outlines
- Paper Objectives
- VPN Overview.
- Experimental Testbeds
- Experimental Results
- Conclusions and Future Work.
3 4Paper Objectives
- Overview of VPN
- Survey popular remote access VPN solutions that
are widely available - Performance evaluation of these solutions on
wired and wireless windows server 2003 platform
experimentally. - Identify issues that have future research
potential
5 6What is VPN?
VPN can be defined as a way to provide secure
communication between members of a group through
use of the public telecommunication
infrastructure (usually the Internet),
maintaining privacy through the use of a
tunneling protocol and security procedures. VPN
systems provide users with the illusion of a
completely private network.
Acme Corp
Tunnel
7Tunneling
- Method of using an internetwork infrastructure to
transfer data from one network over another
network (encapsulation, transmission, and
decapsulation of packets)
8Security of VPN
- Authentication
- Authentication ensures that the data is coming
from the source from which it claims to come.
9Security of VPN
- Authentication
- Access Control
- Access control concept relates to the accepting
or rejecting of a particular requester to have
access to some service or data in any given
system. It is therefore necessary to define a set
of access rights, privileges, and authorizations,
and assign these to appropriate people within the
domain of the system under analysis.
10Security of VPN
- Authentication
- Access Control
- Confidentiality
- Confidentiality ensures the privacy of
information by restricting an unauthorized users
from reading data carried on the public network.
11Security of VPN
- Authentication
- Access Control
- Confidentiality
- Data Integrity
- Data Integrity verifies that a data has not been
altered during its travel over the public
network.
12Benefits of VPN
- Cost
- VPN eliminate the fixed monthly charge of
dedicated leased lines.
13Benefits of VPN
- Cost
- Scalability
- As the enterprise grows, full-mesh connectivity
might be required between the different offices.
This means that the number of leased lines, and
the total cost associated with deploying them,
increases exponentially. - VPN that utilizes the Internet avoid this problem
by simply using the infrastructure already
available.
14Benefits of VPN
- Cost
- Scalability
- Security
- Security is not impaired when using VPN since
transmitted data is either encrypted or, if sent
unencrypted, forwarded through trusted networks.
15Benefits of VPN
- Cost
- Scalability
- Security
- Productivity
- In addition to cost savings, VPN increases
profits by improving productivity. - The improved productivity results from the
ability to access resources from anywhere at
anytime.
16Architecture of VPN
Enterprise main site
- Remote Access VPN
- User-to-LAN connection used by enterprises that
have employees who need to connect to their
private network from various remote locations
(e.g. homes, hotel rooms, airports).
Internet
Remote User
17Architecture of VPN
Enterprise main site
- Remote Access VPN
- Intranet Site-to-Site VPN
- LAN-to-LAN connection used to connect
enterprises offices over Internet
Internet
Enterprise branch site
18Architecture of VPN
Enterprise main Site
- Remote Access VPN
- Intranet Site-to-Site VPN
- Extranet Site-to-Site VPN
- LAN-to-LAN connection Provides business partners,
suppliers, and customers access to certain data.
Internet
Supplier Site
Partner Site
19Remote Access VPN Protocols (L2)
- Point to Point Tunneling Protocol (PPTP)
- Developed by microsoft and others (RFC 2637).
- Extension of Point to Point Protocol (PPP).
- Clients are included in all versions of Windows
since Windows 95. - Servers are included in all windows server
products since Windows NT. - Clients and servers are supported in Linux.
20Remote Access VPN Protocols (L2)
- Point to Point Tunneling Protocol (PPTP)
- Layer Two Tunneling Protocol (L2TP)
- Developed by IETF (RFC 2661).
- Combines best features of L2F and PPTP.
- Commonly used with IPSec -gt L2TP/IPSec.
- Clients are included in windows xp, 2000, and
2003. - Servers are included in windows server 2000 and
2003. - Clients and servers are supported in Linux.
21Remote Access VPN Protocols (L3)
- Point to Point Tunneling Protocol (PPTP)
- Layer Two Tunneling Protocol (L2TP)
- Internet Protocol Security (IPSec)
- Framework Developed by IETF (RFCs 2401-2411 and
2451 ). - IPSec is supported in Windows XP, 2000, 2003 and
Vista, in Linux 2.6 and later. - Many vendors supply IPSec VPN servers and clients.
22Remote Access VPN Protocols (L5)
- Point to Point Tunneling Protocol (PPTP)
- Layer Two Tunneling Protocol (L2TP)
- Internet Protocol Security (IPSec)
- Secure Socket Layer (SSL)
- Higher layer security protocol developed by
Netscape. - Used with HTTP to enable secure Web browsing
(HTTPS). - Supported by most browsers and servers
- SSL can also be used to create a VPN tunnel
(OpenVpn). - Open-source VPN package for Linux and Windows.
23 24Performance Metrics
- Throughput
- The rate at which bulk of data transfers can be
transmitted from one host to another over a
sufficiently long period of time.
25Performance Metrics
- Throughput
- Round Trip Time (RTT)
- The amount of time it takes one packet to travel
from one host to another and back to the
originating host.
26Performance Metrics
- Throughput
- Round Trip Time (RTT)
- Packet delay variation (Jitter)
- The variation of packet delay where delays
actually impact the quality of service.
27Performance Metrics
- Throughput
- Round Trip Time (RTT)
- Packet delay variation (Jitter)
- Packet loss
- The portion of packets transmitted but not
received in the destination compared to the total
number or packets transmitted.
28Wired Testbed Setup
29Wired Testbed Setup
Desktop PC equipped with double 2600 MHz
processor, 512 Mbytes of RAM, and VIA Rhine II
Compatible Fast Ethernet Adapter built-in NIC and
loaded with windows server 2003 and configured to
act as a domain controller server.
30Wired Testbed Setup
Desktop PC equipped with double Genuine Intel
3000 MHz processor, 512 Mbytes of RAM, Broadcom
Extreme Gigabit Ethernet built-in NIC, and VIA
VT6105 Rhine III Compatible Fast Ethernet NIC,
loaded with windows server 2003, and configured
to act as PPTP, L2TP/IPSec, and SSL VPN servers.
31Wired Testbed Setup
Laptop PC equipped with Genuine Intel 1866 MHz
processor, 512 Mbytes of RAM, Broadcom 440x
10/100 Integrated controller built-in NIC and
loaded with windows xp sp/2 and configured to
act as PPTP, L2TP/IPSec, and SSL VPN clients.
32Wired Testbed Setup
D-Link, 10/100 Fast Ethernet Switch. .
33Wireless Testbed Setup
LINKSYS, wireless-G, AP with SES model WAP54G.
34Performance measurement Tools (Iperf)
35Performance measurement Tools (Hrping)
36 37TCP throughput
38TCP throughput
39Round Trip Time (RTT)
40UDP Throughput
41Jitter
42Packet Loss
43Wired Testbeds Results
44Wired Testbeds Results
Due to the smallest overhead packets that have
been introduced by PPTP, PPTP on both windows
server 2003 and fedora core 6 have produced the
best performance values for both TCP and
UDP-based user applications.
45Wired Testbeds Results
In order to have strong security, L2TP/IPSec
combines L2TP's tunnel with IPSec's secure
channel which increases the overhead packets. So,
L2TP/IPSec on both windows server 2003 and fedora
core 6 has produced a good performance values for
both TCP and UDP-based user applications .
46Wired Testbeds Results
TCP throughput in of no VPN
52.59
55.23
82.37
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
Round Trip Time (RTT) in multiple of no VPN
Because OpenVPN was written as a user space
daemon rather than a kernel module, OpenVPN on
both windows server 2003 and fedora core 6 have
produced a lower performance values in high
traffic environments .
2.86
2.52
1.98
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
UDP throughput in of no VPN
6.65
68.12
51.04
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
Jitter in multiple of no VPN
377.18
2.53
4.34
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
Packet loss in multiple of no VPN
24.55
3.49
5.27
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
47Wireless Testbeds Results
48- Conclusions and Future Work
49Conclusions
- Testbeds have been built to evaluate the
performance of remote access VPN solutions (PPTP,
L2TP/IPSec, and OpenVPN) on wired and wireless
windows server 2003 platform. - Performance metrics (Throughput, RTT, Jitter, and
packet loss) have been measured in both TCP and
UDP mode. These metrics are used in our
experiments as they have a direct impact on the
ultimate performance perceived by end user
applications. - The wireless testbed performance values indicate
that the deployment of VPNs on a wireless network
infrastructure could be considered as an
acceptable choice to secure transmission between
wireless clients and their enterprise network.
50Future Work
- The performance of software-based VPN solutions
on platforms other than windows server 2003 (such
as Linux, BSD, Mac, and Solaris) can be evaluated
to select the best platform that will be used to
implement the software-based VPN solutions. - The performance evaluation of hardware-based VPN
solutions using different hardware VPN products
(such as 3Com, ADTRAN, Cisco, and Juniper) should
be investigated as well. - The OpenVPN needs to be manipulated to improve
its performance in high traffic environment.
51- Thank you for your attention