Performance Evaluation for Remote Access VPNs on Windows Server 2003

1
Performance Evaluation for Remote Access VPNs on
Windows Server 2003
ByAhmed A. Jaha Fathi Ben ShatwanMajdi Ashibani
2
Outlines

• Paper Objectives
• VPN Overview.
• Experimental Testbeds
• Experimental Results
• Conclusions and Future Work.

3

• Paper Objectives

4
Paper Objectives

• Overview of VPN
• Survey popular remote access VPN solutions that
  are widely available
• Performance evaluation of these solutions on
  wired and wireless windows server 2003 platform
  experimentally.
• Identify issues that have future research
  potential

5

• VPN Overview

6
What is VPN?
VPN can be defined as a way to provide secure
communication between members of a group through
use of the public telecommunication
infrastructure (usually the Internet),
maintaining privacy through the use of a
tunneling protocol and security procedures. VPN
systems provide users with the illusion of a
completely private network.
Acme Corp
Tunnel
7
Tunneling

• Method of using an internetwork infrastructure to
  transfer data from one network over another
  network (encapsulation, transmission, and
  decapsulation of packets)

8
Security of VPN

• Authentication
• Authentication ensures that the data is coming
  from the source from which it claims to come.

9
Security of VPN

• Authentication
• Access Control
• Access control concept relates to the accepting
  or rejecting of a particular requester to have
  access to some service or data in any given
  system. It is therefore necessary to define a set
  of access rights, privileges, and authorizations,
  and assign these to appropriate people within the
  domain of the system under analysis.

10
Security of VPN

• Authentication
• Access Control
• Confidentiality
• Confidentiality ensures the privacy of
  information by restricting an unauthorized users
  from reading data carried on the public network.

11
Security of VPN

• Authentication
• Access Control
• Confidentiality
• Data Integrity
• Data Integrity verifies that a data has not been
  altered during its travel over the public
  network.

12
Benefits of VPN

• Cost
• VPN eliminate the fixed monthly charge of
  dedicated leased lines.

13
Benefits of VPN

• Cost
• Scalability
• As the enterprise grows, full-mesh connectivity
  might be required between the different offices.
  This means that the number of leased lines, and
  the total cost associated with deploying them,
  increases exponentially.
• VPN that utilizes the Internet avoid this problem
  by simply using the infrastructure already
  available.

14
Benefits of VPN

• Cost
• Scalability
• Security
• Security is not impaired when using VPN since
  transmitted data is either encrypted or, if sent
  unencrypted, forwarded through trusted networks.

15
Benefits of VPN

• Cost
• Scalability
• Security
• Productivity
• In addition to cost savings, VPN increases
  profits by improving productivity.
• The improved productivity results from the
  ability to access resources from anywhere at
  anytime.

16
Architecture of VPN
Enterprise main site

• Remote Access VPN
• User-to-LAN connection used by enterprises that
  have employees who need to connect to their
  private network from various remote locations
  (e.g. homes, hotel rooms, airports).

Internet
Remote User
17
Architecture of VPN
Enterprise main site

• Remote Access VPN
• Intranet Site-to-Site VPN
• LAN-to-LAN connection used to connect
  enterprises offices over Internet

Internet
Enterprise branch site
18
Architecture of VPN
Enterprise main Site

• Remote Access VPN
• Intranet Site-to-Site VPN
• Extranet Site-to-Site VPN
• LAN-to-LAN connection Provides business partners,
  suppliers, and customers access to certain data.

Internet
Supplier Site
Partner Site
19
Remote Access VPN Protocols (L2)

• Point to Point Tunneling Protocol (PPTP)
• Developed by microsoft and others (RFC 2637).
• Extension of Point to Point Protocol (PPP).
• Clients are included in all versions of Windows
  since Windows 95.
• Servers are included in all windows server
  products since Windows NT.
• Clients and servers are supported in Linux.

20
Remote Access VPN Protocols (L2)

• Point to Point Tunneling Protocol (PPTP)
• Layer Two Tunneling Protocol (L2TP)
• Developed by IETF (RFC 2661).
• Combines best features of L2F and PPTP.
• Commonly used with IPSec -gt L2TP/IPSec.
• Clients are included in windows xp, 2000, and
  2003.
• Servers are included in windows server 2000 and
  2003.
• Clients and servers are supported in Linux.

21
Remote Access VPN Protocols (L3)

• Point to Point Tunneling Protocol (PPTP)
• Layer Two Tunneling Protocol (L2TP)
• Internet Protocol Security (IPSec)
• Framework Developed by IETF (RFCs 2401-2411 and
  2451 ).
• IPSec is supported in Windows XP, 2000, 2003 and
  Vista, in Linux 2.6 and later.
• Many vendors supply IPSec VPN servers and clients.

22
Remote Access VPN Protocols (L5)

• Point to Point Tunneling Protocol (PPTP)
• Layer Two Tunneling Protocol (L2TP)
• Internet Protocol Security (IPSec)
• Secure Socket Layer (SSL)
• Higher layer security protocol developed by
  Netscape.
• Used with HTTP to enable secure Web browsing
  (HTTPS).
• Supported by most browsers and servers
• SSL can also be used to create a VPN tunnel
  (OpenVpn).
• Open-source VPN package for Linux and Windows.

23

• Experimental Testbeds

24
Performance Metrics

• Throughput
• The rate at which bulk of data transfers can be
  transmitted from one host to another over a
  sufficiently long period of time.

25
Performance Metrics

• Throughput
• Round Trip Time (RTT)
• The amount of time it takes one packet to travel
  from one host to another and back to the
  originating host.

26
Performance Metrics

• Throughput
• Round Trip Time (RTT)
• Packet delay variation (Jitter)
• The variation of packet delay where delays
  actually impact the quality of service.

27
Performance Metrics

• Throughput
• Round Trip Time (RTT)
• Packet delay variation (Jitter)
• Packet loss
• The portion of packets transmitted but not
  received in the destination compared to the total
  number or packets transmitted.

28
Wired Testbed Setup
29
Wired Testbed Setup
Desktop PC equipped with double 2600 MHz
processor, 512 Mbytes of RAM, and VIA Rhine II
Compatible Fast Ethernet Adapter built-in NIC and
loaded with windows server 2003 and configured to
act as a domain controller server.
30
Wired Testbed Setup
Desktop PC equipped with double Genuine Intel
3000 MHz processor, 512 Mbytes of RAM, Broadcom
Extreme Gigabit Ethernet built-in NIC, and VIA
VT6105 Rhine III Compatible Fast Ethernet NIC,
loaded with windows server 2003, and configured
to act as PPTP, L2TP/IPSec, and SSL VPN servers.
31
Wired Testbed Setup
Laptop PC equipped with Genuine Intel 1866 MHz
processor, 512 Mbytes of RAM, Broadcom 440x
10/100 Integrated controller built-in NIC and
loaded with windows xp sp/2 and configured to
act as PPTP, L2TP/IPSec, and SSL VPN clients.
32
Wired Testbed Setup
D-Link, 10/100 Fast Ethernet Switch. .
33
Wireless Testbed Setup
LINKSYS, wireless-G, AP with SES model WAP54G.
34
Performance measurement Tools (Iperf)
35
Performance measurement Tools (Hrping)
36

• Experimental Results

37
TCP throughput
38
TCP throughput
39
Round Trip Time (RTT)
40
UDP Throughput
41
Jitter
42
Packet Loss
43
Wired Testbeds Results
44
Wired Testbeds Results
Due to the smallest overhead packets that have
been introduced by PPTP, PPTP on both windows
server 2003 and fedora core 6 have produced the
best performance values for both TCP and
UDP-based user applications.
45
Wired Testbeds Results
In order to have strong security, L2TP/IPSec
combines L2TP's tunnel with IPSec's secure
channel which increases the overhead packets. So,
L2TP/IPSec on both windows server 2003 and fedora
core 6 has produced a good performance values for
both TCP and UDP-based user applications .
46
Wired Testbeds Results
TCP throughput in of no VPN
52.59
55.23
82.37
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
Round Trip Time (RTT) in multiple of no VPN
Because OpenVPN was written as a user space
daemon rather than a kernel module, OpenVPN on
both windows server 2003 and fedora core 6 have
produced a lower performance values in high
traffic environments .
2.86
2.52
1.98
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
UDP throughput in of no VPN
6.65
68.12
51.04
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
Jitter in multiple of no VPN
377.18
2.53
4.34
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
Packet loss in multiple of no VPN
24.55
3.49
5.27
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
47
Wireless Testbeds Results
48

• Conclusions and Future Work

49
Conclusions

• Testbeds have been built to evaluate the
  performance of remote access VPN solutions (PPTP,
  L2TP/IPSec, and OpenVPN) on wired and wireless
  windows server 2003 platform.
• Performance metrics (Throughput, RTT, Jitter, and
  packet loss) have been measured in both TCP and
  UDP mode. These metrics are used in our
  experiments as they have a direct impact on the
  ultimate performance perceived by end user
  applications.
• The wireless testbed performance values indicate
  that the deployment of VPNs on a wireless network
  infrastructure could be considered as an
  acceptable choice to secure transmission between
  wireless clients and their enterprise network.

50
Future Work

• The performance of software-based VPN solutions
  on platforms other than windows server 2003 (such
  as Linux, BSD, Mac, and Solaris) can be evaluated
  to select the best platform that will be used to
  implement the software-based VPN solutions.
• The performance evaluation of hardware-based VPN
  solutions using different hardware VPN products
  (such as 3Com, ADTRAN, Cisco, and Juniper) should
  be investigated as well.
• The OpenVPN needs to be manipulated to improve
  its performance in high traffic environment.

51

• Thank you for your attention