VPN Technology Advances And Challenges - PowerPoint PPT Presentation

Loading...

PPT – VPN Technology Advances And Challenges PowerPoint presentation | free to download - id: aa572-NGQ0Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

VPN Technology Advances And Challenges

Description:

Telecommuters and those who travel often might find VPNs to be a more convenient ... ESP Trailer. Optional ESP authentication. Security Parameter Index (SPI ) ... – PowerPoint PPT presentation

Number of Views:634
Avg rating:3.0/5.0
Slides: 92
Provided by: lil97
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: VPN Technology Advances And Challenges


1
VPN Technology Advances And Challenges
  • LILISH M SAKI
  • Lmsaki_at_scu.edu
  • Santa Clara University
  • COEN 329
  • Winter 2002

2
AGENDA
  • Introduction
  • VPN overview and benefits
  • Technology behind VPN
  • VPN tunneling protocols
  • IPsec VPN Implementation details
  • Implementation alternatives
  • Future challenges
  • Conclusion

3
Introduction to VPN
  • Earlier organizations used to build WAN - now
    called intranets, through dedicated leased
    lines/ATM/frame relay to connect their different
    branches and offices.
  • In addition, some organizations selectively open
    their WAN access to partners to provide extranet
    services.
  • Proves costly for many organization to support
    these kind of intranet/extranet architecture.

4
Introduction to VPN (Contd.)
  • Also for mobile workers to log in to a dial-up
    intranet, he/she must call into a company's
    remote access server using either a 1-800 number
    or a remote number.
  • Incurs long distance telephone charges. Virtual
    private network (VPNs) utilize public network,
    like internet, to carry private communications
    safely and inexpensively.  .
  • Very useful for many organizations looking to
    both expand their networking capabilities and
    reduce their costs.

5
Introduction to VPN (Contd.)
  • Telecommuters and those who travel often might
    find VPNs to be a more convenient way to stay
    "plugged in" to the corporate intranet.
  • A VPN can support the same intranet/extranet
    services as a traditional WAN, but VPNs are most
    popular for their support of secure remote access
    service.

6
VPN Overview
Local ISP
LAN
VPN Tunnel
Remote user
Secure VPN Connection
Dedicated link to ISP
Companys Authentication server
Public Network
7
VPN Overview (Contd.)
  • The diagram above illustrates a VPN remote access
    solution. A remote user (client) wants to log
    into the company LAN.
  • The VPN client uses local ISP to connect into the
    authentication server of his company.
  • The server authenticates the client, upon which
    he can now communicate with the company network
    just as securely over the public network as if it
    resided on the internal LAN.

8
VPN Overview (Contd.)
  • A small remote office can also be connected this
    way, which does not have permanent connection to
    corporate intranet. In this case, remotes
    offices server establishes VPN connection with
    the corporate server.
  • In the above process of establishing connection,
    a VPN tunnel is created between the remote user
    and the authentication server through internet.

9
VPN Overview - Tunneling
  • Tunneling is needed because internet, though
    cost-effective, basically is public shared
    network and its not suitable in its natural state
    for secure transactions or private
    communications.
  • In tunneling instead of sending a frame as it is
    produced by the originating node, the tunneling
    protocol encapsulates a data packet within a
    normal IP packet for forwarding over an IP-based
    network and routed between tunnel endpoints.

10
Common uses of VPNs
  • There are three main uses of VPN
  • Intranet VPNsAllow private networks to be
    extended across the internet or other public
    network service in a secure way. Intranet VPNs
    are sometimes referred to as site-to-site or
    LAN-to-LAN VPNs.
  • Extranet VPNs Allow secure connections with
    business partners, suppliers and customers for
    the purpose of e-commerce. Extranet VPNs are an
    extension of intranet VPNs with the addition of
    firewalls to protect the internal network.

11
Common uses of VPNs (Contd.)
  • Remote access VPNs Allows individual dial-up
    users to connect to a central site across the
    internet or other public network service in a
    secure way. Remote access VPNs are sometimes
    referred to as dial VPNs.
  • Secure Intranets Internally Intranets can also
    utilize VPN technology to implement controlled
    access to individual subnets on the private
    network. In this mode, VPN clients connect to a
    VPN server that acts as a gateway to computers
    behind it on the subnet.

12
Common Uses of VPNs
Three uses of VPN are shown in the following
diagram
13
VPN Benefits
  • Low cost.
  • Eliminates the need for expensive long-distance
    leased lines.
  • With VPNs, an organization needs only a
    relatively short dedicated connection to the
    service provider.
  • This connection could be a local leased line
    (much less expensive), or it could be a local
    broadband connection such as DSL service.

14
VPN Benefits (Contd.)
  • Dial-in VPNs reduces costs by lessening the need
    for long-distance telephone charges for remote
    access.
  • Lower costs through offloading of the support
    burden. With VPNs, the service provider rather
    than the organization must support dial-up access
    for example.

15
VPN Benefits (Contd.)
  • Scalability
  • The cost to an organization of traditional leased
    lines may be reasonable initially but can
    increase exponentially as the organization grows.
  • Four branch offices require six lines for full
    connectivity, five offices require ten lines, and
    so on.

16
VPN Benefits (Contd.)
  • In a traditional WAN this explosion limits the
    flexibility for growth. VPNs that utilize the
    internet avoid this problem by simply tapping
    into the geographically-distributed access
    already available.
  • Due to the ubiquitous nature of ISP services, it
    is possible to link even the most remote users or
    branch offices into the network.

17
Basic VPN requirements
  • At a minimum, a VPN solution should provide all
    of the following
  • User Authentication The solution must verify a
    user's identity and restrict VPN access to
    authorized users. In addition, the solution must
    provide audit and accounting records to show who
    accessed what information and when.
  • Address Management The solution must assign a
    client's address on the private net, and must
    ensure that private addresses are kept private.

18
Basic VPN Requirements
  • Data Encryption Data carried on the public
    network must be rendered unreadable to
    unauthorized clients on the network.
  • Key Management The solution must generate and
    refresh encryption keys for the client and
    server.

19
Basic VPN Requirements
  • Multiprotocol Support The solution must be able
    to handle common protocols used in the public
    network. These include Internet Protocol (IP),
    Internet Packet Exchange (IPX), and so on.
  • security negotiation and complex filtering.

20
Basic VPN Requirements (Contd.)
  • ManagementClient-based software should be as
    transparent as possible. VPN carriers will
    require new management tools in order to simplify
    the configuration and monitoring of a corporate
    customer's VPN.
  • Further emerging requirements like QoS, CoS,
    etc., will be discussed later on.

21
Technology behind VPN
  • A VPN is essentially a software technique to
    route private traffic on public internet.
  • Three functions form basis of VPN.
  • Packet encapsulation - Tunneling.
  • Encryption.
  • Authentication.
  • Scope of Encapsulation and Encryption.
  • Next slide shows layout of IP header.
  • Each part of IP packet has security exposures if
    sent in clear over the internet.

22
Technology behind VPN
  • The threats mentioned below, requires us to
    encrypt the entire packet when sending packets
    over internet.

IP Packet and security threats.
Other header
User data
IP Header
Passwords, userID, credit card info, all other
data
Src. And dest. Address, other information
Information useful to hackers
23
Encryption Concepts
  • Privacy of the information sent over VPN is
    ensured by encryption.
  • Encryption is a technique of scrambling (into
    cipher text) and unscrambling information (back
    to clear text ).

24
Encryption Concepts
  • Asymmetric public key cryptography normally used
    for encryption and decryption.
  • Encryption Algorithms.
  • DES (56 bit key length).
  • 3DES (168 bit key length).
  • AES (Advanced Encryption standard) newest
    algorithms supporting.

25
Authentication Concepts
  • Authentication basically answers following
    question.
  • Are you really who you say you are ?
  • There are two types of authentication
    User/System Authentication and Data
    Authentication.
  • User/System Authentication
  • Verifying that the person or system is indeed
    the one who claims to be.
  • A Common technique is to send a challenge to
    other side by sending a random number.

26
Authentication Concepts (Contd.)
  • The challenged side returns a value by encrypting
    the random number using key only known to
    challenged side.
  • The challenger decrypts the returned value, and
    if it matched original number, challenged party
    is termed as authentic.

27
Authentication Concepts (Contd.)
  • Data Authentication
  • This verifies that the packet has not be altered
    during its trip over the internet.
  • A typical technique done before encryption is
    that the sender calculate a number ,called a
    hash, based on data content and append it to the
    data packet.
  • Receiver decrypts the packets, calculates the
    hash independently and compared this receiver
    calculated hash with the hash appended to the
    data.
  • If both hash do not match, data has been altered
    and receiver rejects it.

28
Tunneling Basics
  • Encrypting IP header is not enough since
    intermediate routers would not be able to read
    destination address.
  • Tunneling protocol encapsulates the frame in an
    additional header.

29
Tunneling Basics
  • The additional header provides routing
    information so that the encapsulated payload can
    traverse the intermediate internetwork.
  • Tunneling includes this entire process
    (encapsulation, transmission, and de-capsulation
    of packets.

30
Tunneling Basics
Tunnel End Points
Tunnel
Tunneled Payload
Payload
Tunneling
31
Tunneling Basics (Contd.)
  • The logical path through which the encapsulated
    packets travel through the internetwork is called
    a tunnel.
  • Once the encapsulated frames reach their
    destination on the internetwork, the frame is
    un-encapsulated and forwarded to its final
    destination.

32
Tunneling Basics (Contd.)
  • Tunneling technology can be based on either a
    Layer 2 or Layer 3 tunneling protocol.
  • Layer 2 Tunneling protocols PPTP, L2TP, L2TF.
  • Layer 3 Tunneling Protocols IP over IP and IPSec
    (Tunnel Mode).
  • The next slide shows the comparison table of
    features that each of above protocol support and
    then individual protocols are discussed.

33
Tunneling Protocols Features Comparison
34
Tunneling Protocols Comparison
  • Each of above features is critical in determining
    the implementation of various VPN protocols.
  • IPSec is gaining more and more support from
    vendors because of its security, however issues
    like user authentication and multi-protocol
    support are still there and work is going on to
    resolve this issues.
  • PPTP and L2TP lacks machine and packet
    authentication as standard which makes this
    protocols vulnerable and much less secure than
    IPSec.

35
Appropriate Protocol Use
X denotes it supports
36
Tunneling Protocols PPTP
  • PPTP protocol is built on the top of PPP and
    TCP/IP.
  • PPTP tunneling makes use of two basic packet
    types data packets and control packets.
  • PPTP is a Layer 2 protocol that encapsulates PPP
    frames in IP datagrams for transmission over an
    IP internetwork, such as the Internet.

37
Tunneling Protocols PPTP
  • Control packets are used for status inquiry and
    signaling information and is sent over TCP
    connection.
  • Data portion is sent using PPP encapsulated in
    Generic Routing Encapsulation (GRE) V2 protocol.
  • GRE protocol allows for encapsulation for
    arbitrary data packets within arbitrary transport
    protocol.
  • Such as IPX, NetBEUI, TCP.

38
Tunneling Protocols PPTP (Contd.)
The PPTP Standard
Media Header
IP Header
GRE Header
PPP Header
User DATA
What is GRE ?
Delivery Protocol
GRE Header
Payload Protocol
Information (x -octets)
39
PPTP Security
  • Security of PPTP has been enhanced to support RAS
    (Remote access server) which supports MS-CHAP,
    RSA RC 4 encryption.
  • It does not intrinsically include any encryption
    and authentication mechanisms.
  • There is no packet authentication and in general
    it is much weaker then IPSec and thus much more
    susceptible to attack.

40
Tunneling Protocols L2TP
  • L2TP is standards based combination of two
    proprietary Layer 2 tunneling approaches.
  • It combines best parts of Microsofts PPTP and
    Ciscos L2F.
  • Main difference between L2TP and PPTP is that
    L2TP combines data and control channels and runs
    over UDP as opposed to TCP.
  • More firewall friendly than PPTP since UDP is
    faster and also two channels are combined.

41
Tunneling Protocols L2TP
  • Crucial advantage on extranet VPN applications.
  • L2TP supports non-Internet based VPNs including
    frame relay, ATM, and Sonet.
  • In L2TP PPP connection is tunneled using IP
    between LAC-LNS pair.
  • LAC L2TP access concentrator.
  • LNS L2TP Network server.

42
L2TP Encapsulation
The L2TP Standard
Media header
IP Header
UDP header
L2TP Header
PPP Header
User Data
43
L2TP Security
  • L2TP doesnt intrinsically include encryption
    support.
  • However, secure functionality of IPSec can be
    used to secure the L2TP tunnel.
  • L2TP is more suitable for multiprotocol support
    and remote access VPN.

44
Tunneling Protocols - IPSec
  • IPSec is open standard layer 3 security protocol
    that protect IP datagrams.
  • IPSec has many components (including some still
    in development), but they boil down to just two
    main functions authentication and encryption.
  • It Provides robust, extensible mechanism in
    which to provide security to IP and upper layer
    protocols like UDP and TCP.

45
Tunneling Protocols IPSec (Contd.)
  • It protects IP datagrams by specifying the
    traffic to protect, how the traffic is protected,
    and to whom the traffic is sent.
  • IPsec can protect IP datagrams between hosts,
    network security gateways (firewalls, routers),
    and between hosts and security gateways.

46
IPSec security features
  • Data origin authentication Ensures that received
    data is same as sent data and that recipient
    knows who sent that data.
  • Data integrity Ensures that data is transmitted
    without alteration.
  • Relay protection It offers partial sequence
    integrity.
  • Data Confidentiality It ensures that no one can
    read the sent data, possible by using the
    encryption algorithms.

47
IPSec Components
  • IPSec provides following components.
  • Encapsulating Security Payload (ESP) Provides
    data origin authentication, relay protection,
    data integrity and data confidentiality.
  • Authentication Header (AH) Provides data origin
    authentication, relay protection, data integrity.
  • Internet Key Exchange (IKE) Provides key
    management and security association (SA)
    management.

48
Encapsulating Security Payload (ESP)
  • ESP provides authentication, integrity,
    confidentiality which protects against data
    tampering and message content protection.
  • IPSec provides open framework for standard
    algorithms like MD5, SHA.
  • ESP also provides encryption services in IPSec.
  • Encryption/Decryption allows the sender and
    authorized receiver to read the data.

49
Encapsulating Security Payload (ESP) Contd.
  • ESP also has option called ESP authentication.
  • Provide authentication and integrity to IP
    payload not to the IP header.
  • The ESP header is inserted into the packet
    between the IP header and any subsequent packet
    contents.
  • ESP does not encrypt the ESP header and the ESP
    authentication.

50
ESP format
Original Packet
IP Header
TCP
Data
Packet with ESP
ESP Authentication
IP Header
ESP Header
ESP Trailer
Data
TCP
Encrypted
Authenticated
51
Authentication Header (AH)
  • AH provides authentication and integrity, which
    protects against data tampering using the same
    algorithms as ESP.
  • One drawback of AH is that is does not protect
    datas confidentiality.
  • If data is intercepted and only AH is used, the
    message contents can be read.
  • For the added protection in certain cases, both
    AH and ESP can be used.

52
Authentication Header (AH) Contd.
  • These two protocols can be used alone or combined
    depending on type of application required and
    security needed.
  • One subtle difference explaining why AH is
    preferred over ESP is the scope of coverage of
    authentication.
  • AH authentication includes IP header information
    while ESP does not include that.
  • The authentication header is inserted between the
    IP header and any subsequent packet contents.

53
AH format
Original Packet
IP Header
TCP
Data
Packet with IPSec AH
IP Header
Data
AH
TCP
Authenticated
54
IPSec Modes
  • There are two modes of IPSec - Transport and
    Tunnel mode.
  • Transport mode protects upper layer protocols.
  • Tunnel mode protects entire IP Datagrams.
  • In Transport mode, an IPSec header is inserted
    between IP header and the upper layer protocol
    header.

55
IPSec Modes (Contd.)
  • In Tunnel mode, the entire IP packet to be
    protected is encapsulated in another IP datagram
    and the IPSec header is inserted between the
    outer and inner IP headers.
  • Both AH and ESP can be operate in either tunnel
    mode or transport mode.
  • Next four slides show two modes of IPSec and its
    implementations under ESP and AH.

56
IPSec Modes (Contd.)
Two Modes of IPSec
Source A
Destination B
Internet
Security Gateway2
Security Gateway1
Tunnel Mode
Transport Mode
57
ESP Transport Mode
IPSec ESP Transport Mode
1- Authenticated 2- Encrypted
Original IP Header
Original Packet
TCP
Data
Tunnel Mode Packet
STD. IP Header
ESP header
Optional ESP authentication
TCP
Data
ESP Trailer
Security Parameter Index (SPI )
ESP Header
1
Sequence number
TCP data
Payload Variable size
2
ESP Trailer
Padding
Pad len
Next Hdr
Authentication data
58
ESP Tunnel Mode
IPSec ESP Tunnel Mode
1- Authenticated 2- Encrypted
Original IP Header
Original Packet
TCP
Data
Tunnel Mode Packet
New IP Header
ESP header
Optional ESP authentication
Original IP Header
TCP
Data
ESP Trailer
Security Parameter Index (SPI )
ESP Header
1
Sequence number
IP Hdr, TCP data
Payload Variable size
2
Padding
Pad len
Next Hdr
ESP Trailer
Authentication data
59
AH Transport/Tunnel Mode
AH Transport/Tunnel Mode
Orig IP Header
Original Packet
TCP
Data
Transport mode packet
Orig IP Header
TCP
Data
AH
New IP Header
Orig IP Header
Tunnel Mode Packet
AH
TCP
Data
Next Header
Payload len
Reserved
Security Parameter Index (SPI )
Sequence number
Authentication data
60
Identity and IPSec Access Control
  • In LAN- to-LAN and remote access VPNs it is
    important that devices are identified in a secure
    and manageable way.
  • In remote access VPN device authentication as
    well as user authentication occurs.
  • Device authentication uses either a pre-shared
    key or digital certificate to provide identity of
    the device.
  • Preshared key management is done through Internet
    key exchange (IKE) protocol.

61
IPSec Security association
  • IPSec introduces the concept of Security
    association (SA).
  • An SA is a logical connection between two devices
    transferring data.
  • An SA provides data protection for unidirectional
    traffic by using defined IPSec protocols.

62
IPSec Security association (Contd.)
  • An IPSec tunnel typically consists of two
    Unidirectional SAs, which together provide a
    protected full duplex data channel.
  • An SA allows an enterprise to control exactly
    what resources may communicate securely according
    to security policy.
  • Enterprise can select multiple SAs to enable
    multiple secure VPNs to support different
    departments and different business partners.

63
IPSec Security association (Contd.)
  • SA can be constructed manually or dynamically via
    IKE.
  • When created dynamically SA have lifetime
    associated with them that is negotiated between
    IPSec peers by the key management protocol.
  • The IPSec SA specifies
  • The mode and keys for AH authentication
    algorithm.
  • The mode and keys for ESP encryption algorithm.

64
IPSec Security association (Contd.)
  • The protocol, algorithm and key used to
    authenticate VPN communication.
  • The protocol, algorithm and key used to encrypt
    VPN communication.
  • The presence and size of any cryptographic
    synchronization to be used.
  • The change interval of keys.
  • The time to live of keys.
  • The time to live of SA itself.
  • The SA source address.

65
IPSec Architecture
IPSec Architecture
AH Protocol
ESP Protocol
Authentication Algorithm
Encryption Algorithm
Domain of Interpretation (DOI) specifies a SA
Key Management
66
Internet Key Exchange (IKE)
  • IKE establishes shared security parameters and
    authentication keys between the IPSec peers,
    including all information in SA.
  • Operates under framework defined by ISAKMP
    (Internet security association and key management
    protocol).
  • IKE has two phases, phase one and phase two.
  • Phase one
  • Is designed to exchange master secret. Its
    cryptographic operations are very processor
    intensive.
  • Master secret is used to derive keys.

67
IKE (Contd.)
  • Phase one does not establish any SAs of the keys
    for protecting the user data.
  • Phase one operations are performed infrequently,
    and single phase negotiation can support Phase 2
    exchanges.
  • Phase two
  • Phase two exchanges negotiate the SAs and the
    encryption keys that will be be used to protect
    user data.
  • Phase 2 negotiations occurs more frequently that
    phase one negotiations typically every few
    minutes so that hackers do not have time to break
    the encryption keys.

68
Two phase of IKE
Two Phases of IKE
IPSec Node
IPSec Node
IPSec Node
IPSec Node
Phase 1 Establishing Secure channel IKE SA
Phase 2 Negotiate General Purpose SAs
69
L2TP with IPSec (Transport Mode)
  • Integrating L2TP with IPSec offers the ability to
    L2TP as the tunneling protocol but secure the
    data using IPSec.
  • Using L2TP gives increased manageability with
    user authentication for client to LAN connection
    and multiprotocol support.
  • Interoperability with vendors is better that just
    IPSec alone.
  • One drawback is that it will not pass through NAT.

70
Authentication within IPSec
  • In small fixed VPN, IPSec authentication can rely
    on shared secrets.
  • Devices are configured to share secret data upon
    which data encryption is based.
  • This authentication is practical for only small
    VPNs with few links to multiple nodes.
  • To ensure scalability and best possible security,
    the VPN solution can be integrated with a
    Certificate Authority (CA) in Public key
    infrastructure (PKI).

71
Authentication within IPSec (Contd.)
  • PKI provides a standard, secure and scalable
    means of verifying user and system identities on
    a network.
  • The CA is responsible for issuing and maintaining
    digital certificates for users of VPNs as well as
    for VPN devices themselves.
  • With a CA, scaling is much easier when using PKI
    on the VPN, because for each new user or device,
    simply a new certificate is issued.
  • Keys can be easily managed, updated and backed up
    from a central location.

72
User/Device Authentication with Digital
Certificates
  • A digital certificate contains
  • Serial number of the certificate
  • Issuer algorithm information
  • Valid to/from date
  • User public key information
  • Signature of issuing authority (CA)

0000123 SHA, DH, 3837829 1/1/93 to
12/31/98 Alice Smith, Acme Corp DH, 3813710
... Acme Corporation, Security Dept. SHA, DH,
2393702347 ...
73
Authenticating IPSec VPN with RADIUS
  • IPSec as proposed doesnt include user
    authentication
  • Many vendors include in their VPN products with
    the RADIUS (Remote Authentication Dial-In User
    Service ) authenticating mechanisms
  • RADIUS coordinates authentication and
    authorization information between a network
    access server (VPN switch) and a central
    authentication and authorization server (RADIUS
    Server)

74
VPN Implementation alternatives
  • There are many VPN solutions available they cover
    a range of price-performance, of capacity and of
    installation and configuration complexity.
  • Following are four categories in which they can
    be divided.
  • Traditional or legacy VPN products.
  • Outsourced VPNs.
  • Low end VPNs/firewall products.
  • Point and click VPN Services.

75
Implementation alternatives- Traditional or
legacy VPNs
  • Traditional or legacy VPN products
  • Most first generation VPN products fall into this
    category.
  • VPN function is typically add-on to router, to a
    LAN switch or to firewall.
  • Often leads to hardware upgrade supporting it.
  • Optimized for large businesses.
  • Legacy VPN products category includes PC based
    software solutions targeted at smaller users.
  • These VPN solutions need significant expertise to
    design, install, operate and support.

76
Implementation alternatives- Outsourced VPNs
  • Outsourced VPNs There are two subcategories.
  • a)VPN service from ISP or NSP
  • With a managed service offering complete
    solution from installation to technical support
    is provided.
  • Important issue here is availability of managed
    service in all geographical location where
    customer wants to deploy VPN.

77
Implementation alternatives- Outsourced VPNs
(Contd.)
  • b) Managed VPN Service from a Reseller/Solution
    Provider
  • Solution providers package services from multiple
    service provider to provide solution covering all
    geographical region.
  • Cost, availability and technical support are
    issues here.
  • More flexibility that ISP/NSP solution.

78
Implementation Alternatives Low End
VPNs/Firewall appliances
  • Low end firewall VPN devices
  • These are designed for small to medium size
    enterprise and are purpose built (dedicated to
    VPN gateway function ).
  • May use PC processors or specialize processors.
  • They may include co-processors for offloading the
    encryption function to a separate chip.
  • These appliances may include additional functions
    like firewall, increasing their complexity.
  • Simpler then router, Firewall-based VPN hence
    generally less prone to problems and easier to
    diagnose.

79
Implementation Alternatives Point and click
services.
  • Point and Click Services
  • This solution is independent of ISP and allows
    customers to use their existing hardware.
  • Key feature of this solution is that customer
    does not have to get involved in designing,
    configuring and supporting the VPN.
  • Customer logs onto service provider web site and
    registers key information about each site that is
    to be part of VPN(such as site name and IP
    address).
  • Solution providers NOC then automatically
    creates appropriate VPN configurations based on
    user provided information and configures users
    VPN Gateways and monitors it.

80
VPN Future Challenges
  • Quality of Service (QoS), will become the next
    goals for VPNs.
  • The Internet is an inherently "best effort"
    delivery system. While powerful for connectivity,
    it lacks the consistent and assured performance
    required for the effective delivery of business
    applications.
  • The biggest drawback to traditional QoS is its
    inability to prioritize encrypted packets, making
    it virtually unusable in VPN environments.

81
VPN Future Challenges
  • Traditional QoS relies on the use of individual
    IP packet fields to differentiate and prioritize
    packets.
  • IPSec and other encryption technologies protect
    data by making most of the IP packet fields
    unreadable.
  • Encryption leaves only three fields available for
    packet differentiation, IP source address, IP
    destination address, and protocol.

82
VPN Future Challenges (Contd.)
  • Differentiating on the basis of source IP address
    and destination IP address is not viable
    solution.
  • Source IP address can dynamically be different
    each time.
  • Destination IP address can be just VPN gateway.
  • VPN deployments require a new approach to QoS
    which can beat above problem.

83
Limitations of Traditional QoS devices for VPNs
84
Future Challenges QoS for VPN
  • Some approaches have been proposed by vendors
    like Cisco and more recently Centrisoft
    Corporation.
  • These efforts aim in controlling traffic at the
    application level prior to IPSec packet
    encryption to avoid the issue of having to
    prioritize encrypted packets.
  • Centerwise implements QoS via a distributed
    architecture that provides control at the source
    of trafficthe user desktop.

85
Future Challenges QoS for VPN
Centrisoft approach
86
Future Challenges (Contd.)
  • Instead of looking at individual packets, it
    attempts to control the flow of applications at
    the desktop, where traffic originates.
  • Cisco proposes QoS solution for VPN based on
    packet classification before encryption.
  • Once packets are classified the next step is to
    "mark" or "color" packets with a unique
    identification to ensure that this classification
    is respected end to end.
  • This can be done via the IP ToS field in the
    header of an IP datagram.

87
Future Challenges (Contd.)
  • QoS is still not fully implemented for IP and
    work is still going on. QoS for VPN will be one
    of the key requirements and development is still
    going on to support fully.
  • Need for Traffic Classification, Policing /
    Shaping, Bandwidth Allocation, and Congestion
    Avoidance are all somewhat related to QoS.
  • Other challenges include security of VPNs, though
    many secure mechanisms are available, properly
    applying them and managing is must.

88
Future Challenges (Contd.)
  • Emerging technologies is Virtual private routing
    services (VPRS) which promises to greatly
    benefit customer since it will provide bridging
    and routing capabilities, VLANs, directory
    services and bandwidth critical applications.
  • Focus will fall more and more on delivering
    quality of service (QoS) and class of service
    (CoS) over IP networks as part of a VPN.
  • As voice and data services merge into one (voice
    over IP, IP fax), new network services are being
    developed to offer the QoS/CoS required for data,
    telephony and fax.

89
Conclusion
  • Different VPN protocols have their own advantages
    and disadvantages.
  • Of all VPN protocols IPSec provides strongest
    security and is best suitable for any
    gateway-to-gateway scenario.However, IPSec
    doesnt feature user authentication and have
    multiprotocol support.
  • IETF IPSec remote access working group (IPSRA) is
    working on to make IPSec interoperable with
    legacy devices and in general wider support.

90
Conclusion
  • PPTP and L2TP provide multiprotocol support and
    have user authentication but they security is
    weaker that IPSec and also they lack machine
    authentication.
  • Until, all the problems for common solution are
    ironed out a single protocol cannot fulfill every
    customers requirement.
  • VPN technology will continue to evolve and
    benefit us in coming years. With future support
    for QoS/CoS and integration with other
    technologies like VoIP and multimedia, true
    potential of VPN capabilities will be realized.

91
References
  • RFC 2401 Security architecture for Internet
    Protocol.
  • RFC 2402 IP Authentication Header.
  • RFC 2406 IP Encapsulating Security Payload.
  • RFC 2409 Internet Key Exchange IKE.
  • RFC 2411 IP Security document roadmap.
  • www.enterasys.com White paper - Virtual Private
    network a technology overview.
  • www.cisco.com White paper SAFE VPN an IPSec
    Virtual private network in depth.
  • www.networkcomputing.com Authenticating VPNs
    with RADIUS.
  • www.centricitysoftware.com White paper A QoS
    breakthrough for VPN.
  • www.techguide.com Technology guide- A practical
    guide to right VPN solution.
  • www.cid.alcatel.com White paper - PKI and VPN
    enabling security in increasingly networked
    world.
  • www.smartpipes.com White paper - IPSec-based
    VPNs.
  • www.3com.com Virtual private networks Internet
    based VPNs.
  • www.getesuite.com VPN tunneling basics.
  • www.cisco.com White paper Quality of Service
    for virtual private networks.
About PowerShow.com