Running Head: VIRTUAL PRIVATE NETWORKS
Virtual Private Networks
Ping255
TCOM 255
Abstract
In order for businesses to remain competitive in the current marketplace, they are leaning towards a relatively new technology called Virtual Private Networks (VPNs). VPNs offer organizations the ability to reach private networks via public ones. VPNs entertain cost advantages over more traditional private networks, and offer greater scalability. Not without detractors, VPNs can provide a false sense of security and are reliant upon the Internet for connectivity. Rather than being confined to a narrow set of protocols, VPNs use a variety of methods to establish a secure connection. These secure connections range from large-scale enterprise frameworks, through small offices, even down to a single point-to-point connection.
Regardless the size of the network, the same basic infrastructure is maintained through all implementations of a Virtual Private Network.
Virtual Private Networks
As the costs of leasing lines to support off-site access to private networks increases, there is an essential need for change. A technology that is in its infancy stage and gaining popularity among businesses is virtual private network (VPN). If configured correctly, VPNs offer organizations the ability to reach their private networks via public ones. The common protocols used for these configuration range from a Layer 2 protocol, such as Point-to-Point Tunneling Protocol (PPTP), to a Layer 5 protocol, such as SOCKS. Although VPNs offer cost savings for remote user access to the network and flexible scalability, they are not without pitfalls. VPNs are making their presence known, ranging from large-scale enterprise solutions to simple single point-to-point connections. The underlying methodologies are the same, however, regardless the size of the implementation.
VPN Overview
Definition
Businesses are changing their strategy from a fully private network to one that uses the resources of an Internet Service Provider, (ISP). This method is referred to as a VPN and uses the Internet as a backbone for geographically remote nodes. It is not restricted across the country or around the world, and is capable of being implemented across a town or a local area network, (LAN). It “is virtual because a VPN does not require dedicated lines. It is private because it uses encryption algorithms, is transparent, and is nearly tamperproof. And a VPN is considered a network because it reaps the benefits of a shared Internet Protocol network” (Toffel, 2001, pg.1). The trend to move away from a private network to a virtual private network makes sense as VPNs offer, flexibility, and security, while reducing the cost of owning a private network.
Leased Lines – Dedicated
Leased lines allow users at a remote location to remain in contact with their parent company. For example, employees located in a Los Angeles office, can access their main office even if it is located in New York City. One problem associated with leased lines though, is that a business has to lease an entire line, 24 hours a day, even though the line is only used for a portion of the time. In addition, if the leased line is cut or damaged, packets may not reach their final destination. There is no alternate course for the packets to take in the event something like this occurs. Therefore, the high costs associated to a leased line and the unacceptable redundancy forces a change among businesses.
Leased Lines – Ad Hoc
Another way remote users are able to access their main office is through a 1-800 number system. An employee wanting to access the main network simply has to dial the designated 1-800 number. With a username and password to identify the user, he or she may retrieve information and conduct business from a remote location. In time, the long distance charges associated with this form of access are very high. Employees would rather stay online, increasing long distance charges to the company, than access the necessary information, download it, and then disconnect from the access point. If they were to follow such cost-saving procedure, employees who have logged off from the network could work off line on their emails and the information they downloaded into their portable computer. Once their work is complete, they would log on the network again, via the 1-800 number, and send their work to their clients. In theory, this procedure sounds good, but employees are reluctant to disconnect from free access to the Internet. A free connection to the Internet gives them the freedom to browse the Internet, do online banking, and visit sites free of charge. If not regulated, a 1-800 number access point tends to increase the operation costs of connecting remote users to a business’s main network. This is yet another reason why a VPN is an attractive alternative to leased lines.
VPN Infrastructure
Whether the public infrastructure used is the Internet, asynchronous transfer mode (ATM), or the public switched telephone network (PSTN), VPNs use the public infrastructure “cloud” to transmit their data. By using the public infrastructure over leased lines, VPNs offer greater flexibility, cost savings, and redundancy. (Please refer to appendix “A” for a graphical representation of private networks versus virtual private networks). One should, however, make a distinction between a public and a private-public infrastructure. The Internet can be looked at as a public infrastructure because the Internet Service Providers do not, for example, offer the same services that an ATM provider will offer. Therefore, an ATM can be looked at as a private- public infrastructure, because it will provide additional services that are not offered through the Internet. These services include, but are not limited to, Quality of service (QoS), security, maintenance of the system, and interoperability between networks. Depending on the size and needs of a business, there are different VPN standards available. It is the responsibility of an information technology professional to assess the needs of the business, and direct it towards the right path.
Costs
According to Data Communication Magazine, Fowler states that a study of the costs associated with leased lines versus a frame relay VPN and Internet VPN shows that the Internet VPN is the most economical method of all (Figure 1.). The scenario used for this study was to connect three US cities, (Boston, Los Angeles and Houston), and one European country, London, with a 64 Kbps connection. Using local carrier rates and ISP monthly charges in the United States, the study showed that in the first year, frame relay costs were 17% less than the cost of leased lines. The frame relay cost was also twice expensive as that of an Internet VPN. It is important to remember that the costs of implementing a frame relay is a one-time charge that no longer affects the buyer once the implementation is complete. This cost is associated with the installation of the system and the encryption devices. The obvious economical choice is therefore the Internet-based VPN, but if additional services are required, a frame relay or ATM VPN, may prove to be a better choice. According to Fowler, another study commissioned by Sun Microsystems showed savings of 20% to 47% by switching from leased lines to a VPN (1999).
|
|
Leased Line |
Frame Relay VPN |
Internet VPN |
|
Annual Charges |
$133,272 |
$89 998 |
$38 400 |
|
Installation |
$2,700 |
$5 760 |
|
|
Four VPN encryption devices |
|
$16 000 |
$16 000 |
|
Total cost, first year |
$135 972 |
$111 758 |
$54 400 |
Figure 1. Cost Comparison of Leased Line,
Frame Relay and Internet-based VPNs
Note. Compiled from Virtual private networks: making the right connection, by Dennis Fowler, 1999
VPN Intranets
VPNs offer businesses the possibility of creating extranets and the less attractive intranets. Intranets “can be an effective way to tie widely distributed facilities into a wide area network” (Fowler, 1999, p. 33). Intranets are mostly used by businesses that have many small offices scattered around the country and needing a connection to the central office. One example is the Mazzio chain of pizza stores that are scattered across several states. Mazzio’s corporation has a call center taking all orders located in Oklahoma City. However, Mazzio has over 250 restaurants located across several states. Customers call a local telephone number, but unbeknownst to the caller, the call is routed to a calling center in Oklahoma City. A few benefits of this system is that the call center knows the person who is calling, knows what was ordered before, and where the delivery is to be taken to. The local Mazzio pizza store, connected to the Internet VPN, is notified instantly when the order has taken place. This reduces the amount of calls to the local pizza store and allows them to concentrate on the daily activities of making pizzas. In the same sense, the call center is focused on taking orders and not distracted by the daily activities associated to owning a restaurant. This makes for an overall efficient and cost effective way of conducting business for Mazzio. The Internet based VPN reduces their cost of having local call centers in each state, and compartmentalizes the work.
VPN Extranets
Extranets allow businesses to connect directly to their vendors and customers, thus creating a competitive edge over their competitors. A good example of an extranet is the automotive industry. Imagine the amount of leased lines needed to connect an auto industry with their vendors, suppliers and dealerships. Leasing lines would be an enormous undertaking both financially and administratively. Using the Internet cleans this up quite neatly. The automotive industry uses a very large type of VPN referred to as the Automotive Network Exchange, (ANX). The automotive industry ties “together the facilities of more than 1300 automobile manufactures and their suppliers into a single TCP/IP network” (Fowler, 1999, pg. 27). This is interesting as the competition between automakers is fierce; nonetheless, they are interconnected on the same network. This is a good example of the importance of implementing security protocols to ensure that each automakers’ secrets and private data remains confidential.
Advantages of VPNs
Cost
Savings
Cost savings come from several different sources. Expensive leased lines are no longer needed, since all that is required is a connection to the ISP. Also, the ability to connect to a service provider using a local phone call eliminates the need to make costly long-distance phone call for remote access. Finally, the ISP can handle the technical support required to run a VPN, which is often less expensive than supporting the VPN internally (Odhner, 2003). The administrative costs involved with the implementation and maintenance of the VPN may cost the owner more than outsourcing.
Scalability
Another major advantage of using VPNs is scalability. Establishing connections between many sites over a large geographical area with leased lines running between each location is an expensive undertaking, as new lines between stations need to be added. This incurs additional costs, which may hinder scalability. Instead, VPNs utilize the existing mesh network of the Internet to establish connections to remote nodes. This not only reduces cost, but it allows connections to a site that might not have access to leased lines. Once the VPN configurations have been established, additional connections can be added with ease.
Disadvantages of VPNs
Reliance
on the Internet
The Internet is not a controllable environment and it presents some serious issues. Internet access is currently restricted to a few connection types, limiting the amount of bandwidth that these connections can utilize. The use of a single Internet connection for site-to-site connections presents a single point of failure and a focal point for hacker attacks. The use of the Internet also introduces obvious security issues that can expose internal networks. (Odhner).
False sense of security – remote access
The premise of VPNs is to provide a secure connection between end-points over the Internet. This leads users to believe that security issues are completely handled by the encryption and tunneling protocols used. Unfortunately, this is not true. VPNs use these techniques to secure connections from eavesdropping or insertion attacks. However, VPNs do not provide protection from attacks passing through the VPN tunnel. This false sense of security can and has left networks exposed to an assortment of attacks. Vulnerability in VPNs lies in the remote-access connection of a remote-client to the internal network. When using VPN client software, not all IP traffic is sent through the VPN tunnel. The software sends only traffic meant for the internal network down the VPN tunnel. All other Internet traffic is directed straight to the Internet itself, through the ISP. This leaves the entire internal network exposed. A hacker can utilize the remote-client to access the VPN tunnel and subsequently obtain access to the internal network (Farrow, 2002).
An example of how this was done is when a hacker used a PPTP to gain access to sections of Microsoft’s Redmond campus network. The hacker sent a Trojan horse through the VPN tunnel, which recorded information containing usernames and passwords needed for both PPTP and authentication to the internal domain account. This information was sent to an e-mail address in Russia, where the hacker used this information to access the campus’s network. The only reason this intrusion was caught was because a system administrator happened to notice a new user account that had been created. However, they do not know how long the hacker was in the network (Farrow, 2002).
This event is a prime example of how an unsecured remote-client can expose the internal network. Other VPN solutions use methods like IPSec, SSL with TLS (Transport Layer Security), and SSH (Secure Shell) to solve this problem. Another way to address this vulnerability is through the use of firewalls. The VPN end-point can be place behind the firewall, inside the firewall, or in front of the firewall. Placing the end-point behind or inside the firewall still allows for VPN tunnels to pass through the firewall unaffected. Placing the end-point outside of the firewall eliminates the tunnel through the firewall and presents the best protection when using a firewall. However, it is not totally secure. If a hacker can gain access to the remote-client computer by either stealing it or hacking it, the VPN client configuration can be used and copied, ultimately compromising the effectiveness of the firewall (Farrow, 2002).
False sense of security – site-to-site access
These vulnerabilities are not limited to the remote-access connections. Similar issues face site-to-site connections. Another way to address these security concerns, in both forms, is through establishing security policies and requiring that all sites and remote-clients implement them. Using firewall software and the latest updated anti-virus software can secure the remote-client. Also, using end-points placed on the outside of the firewalls and the latest updated anti-virus software can secure internal networks from any attacks coming through the VPN tunnel. It is important to realize that these precautions, if used correctly, can be a means to achieve security of a VPN connection (Farrow, 2002).
Lack of Standards
The fact that VPNs are still in their infancy stage and their lack of standards is another drawback. Intense competition among telecommunication companies along with issues of compatibility have made standardizing VPN difficult. For example, some businesses use Netscape while others use Internet Explorer to surf the Internet. The use of different Internet browsers may present a discrepancy in protocols used for VPNs. When a business purchases a VPN technology and the standards change, it makes it difficult, and costly, to update the system. On the other hand, if a business outsourcers the VPN technology, the upgrading and standardizing of the VPN are the service provider’s responsibility. Although more costly to the business, this direction lessens the burden of upgrading a VPN technology. Nonetheless, VPN technology is changing and so are the standards. To keep pace with these changes businesses must make the appropriate decisions on exactly what their VPN is to be used for.
Quality of Service (QoS)
Another issue that has gained attention lately is the concern for QoS. An Internet VPN for example has issues of sluggish performance while video conferencing has issues of latency. No ISP can guarantee packets that travel any other paths than their own backbone. Meaning that they can offer guaranteed service on their network but not that of the Internet since no person actually owns the Internet. Therefore, QoS will remain a service that will attempt to satisfy the end-to-end delivery of data within a specified level detailed in the service legal agreement.
Hidden Costs
There are cost advantages to a VPN but there are also hidden costs. Setting up the VPN, training personnel to maintain and establish the network adds additional costs to the business. In order for employees, who are always on the road, to be familiar with accessing their accounts from a remote location, there needs to be employee information training sessions. These are considered part of the maintenance cost of a VPN. First year implementation costs tend to be high, but then fall as the installation process is completed. Nevertheless, the costs associated to maintaining the VPN whether it is outsourced or not, exists. A business must also look at the costs that it will take to change or upgrade the current infrastructure.
VPN Operation
How VPNs Work
VPNs are simply a method of establishing a private WAN without the use of expensive WAN technologies. Setting up a virtual connection does this over the Internet. VPN connections can take two forms, remote-access or site-to-site. Remote-access VPNs connect an individual user or small office to an internal network. Site-to-site VPNs connect multiple LANs together. These connections need to perform several functions in order for them to be effective. The overriding concern with sending information over the Internet is security, but VPNs must include scalability, reliability, and management. VPN technologies use two concurrent methods to insure these necessities are meet. These methods are encryption and tunneling (Forouzan, 2001).
Encryption is the process of using algorithms to encode data so that only the intended receiver can decode it. This requires that the receiving device have a key to unlock the algorithm. Most encryption methods fall under two categories: public-key encryption and symmetric-key encryption. These encryption methods play a vital role in the tunneling protocols that make VPN connections possible (Tyson, 2003).
Tunneling is the process of encapsulating encrypted data into an IP packet suitable for transport over the Internet. VPN protocols use a variety of methods to establish the secure connection. These protocols can be categorized by which layer of the OSI model they function in. There are protocols that work in layers 2, 3, and 5 all depending upon the connection form. It is important to remember that these protocols are based on the industry standard of point-to-point protocol.
Layer 2 protocols
PPTP-
Point-to-point Tunneling Protocol was developed by companies such as Microsoft
and 3COM. This protocol is designed for remote-access from home or a small office.
PPTP is very popular because Microsoft has included it in its operating
systems. It supports multiple protocols such as IP and IPX. It encapsulates
these payload packets with a generic routing encapsulation header and then an
IP header. The IP header contains source and destination information (Mitchell,
n.d.).
L2TP- Layer
Two Tunneling Protocol is a combination of PPTP and Cisco Systems Layer 2
Forwarding. L2TP can be used for both remote-access and site-to-site
connections. It encapsulates standard IP packets within a secure IP packet.
Then it used IP frames to establish the tunnel. After the connection is
established, source and destination information is no longer necessary (Odhner,
2003).
Layer 3 Protocols
IPSec- Internet Protocol Security is a suite of protocols that provided secure tunneled transport of IP packets. IPSec has two operating modes tunneling mode and transport mode. While in tunneling mode IP packets are encapsulated in secure IP frames for transmission between firewalls, and it is used for site-to-site connections. In transport mode only the payload data is encrypted and suitable for connections from endpoint-to-endpoint. IPSec supports various authentication technologies and uses advanced algorithms for encryption. IPSec is on the leading edge of VPN protocols and is integrated into IPv6 (Odhner, 2003).
Layer 5 Protocols
SOCKSv5 with SSL- SOCKSv5 is a standard for authenticated traffic across firewalls. The use of SOCKv5 with Secured Sockets Layer allows the creation of a secure VPN that will function on all firewalls. It controls data flow at layer 5 and creates a virtual circuit between hosts on a session-by-session basis. SOCKSv5 with SSL is interoperable with PPTP, L2TP, and IPSec (Odhner, 2003).
VPN Implementation Methods
Software – Firewall based
A common option for low-cost implementation of a VPN is through software based in a firewall. With this implementation, the firewalls on either side of the connection establish a transport tunnel. Since the VPN is integrated within the firewall, policies set forth by the firewall determine which traffic gets routed through the tunnel, and which traffic is destined for the Internet. One caveat for this type of implementation is that the firewalls will more than likely have to be from the same manufacturer. Ideally, the appliances will be the exact same model, or relative close in design and functionality. As standardization becomes more prevalent in the VPN market, so will the variety of options available (Perlmutter, 2000).
Software – Client/Server
Alternatively, software VPNs can be established through the typical client/server type of application. The client would be installed on the computers with the server residing at a central server. These solutions are often based on common protocols, such as IPSec and PPTP. Another protocol finding its way into the VPN frontier is SOCKS, which operates at layer 5 of the OSI model. Both software implementations, firewall and client-server, do impact performance somewhat, as they take away process time from the system(s) on which they reside (Perlmutter, 2000).
Hardware - Routers
Solutions based on hardware are the preferred choice, as they do not steal horsepower from other systems that are running VPNs off of software only. Routers are ideal general-purpose platform on which VPNs can reside. The two primary applications of VPNs based in routers are site-to-site and remote-access. Functionally speaking, the site-to-site implementation only requires a router at each end of the connection. With a remote access implementation, however, a device called a remote access concentrator is required to direct the VPN tunnel to the node that is requiring access (Merkow, 1999).
Hardware – Dedicated Appliances
The most ideal hardware-based VPN device is that which is designed form the ground up to be used specifically for VPNs. These devices are generally identified as VPN appliances. These implementations are best suited for a large-scale implementation, where throughput of the VPN is high and consistent. The previous solution would tend to get bogged down more than a dedicated appliance would (Perlmutter, 2000).
Conclusion
Virtual private networks are the natural evolution of private intercommunications. They offer flexibility in implementation, as they can be based on software, hardware, or a mixture of the two. As with any other technology, they have their advantages and their disadvantages. Ultimately, it is up to the IT professional to take a good look at the requirements in hand, to determine which implementation of the VPN is best suited for that particular environment.
References
Brown, S. (1999). Implementing virtual private networks. New York: The McGraw-Hill Companies, Inc.
Clark, D. L. (1999). IT manager’s guide to virtual private networks. New York: The McGraw-Hill Companies, Inc.
Davidson, J. M. (2000). Virtual private networks: The next evolutionary step. Efficient Networks, Inc.
Farrow, R. (2002, June). VPN vulnerabilities. Networkmagazine.com. Retrieved May 20, 2003, from http://www.networkmagazine.com/shared/article/showArticle.jhtml?
articleid=8703359.
Forouzan, B. A. (2001). Data communications and networking. New York: McGraw-Hill.
Fowler, D. (1999). Virtual private networks: Making the right connection. San Francisco: Morgan Kauffman Publishers, Inc.
Merkow, M. (1999). Virtual private networks for dummies. Foster City, CA: IDG Books Worldwide, Inc.
Mitchell, B. (Ed.) (n.d.). Introduction to VPN: Advantages and disadvantages. Computer Networking. Retrieved May 20, 2003 from http://www.compnetworking.about.com/library/weekly/
aa010701c.htm.
Mitchell, B. (Ed.) (n.d.). Introduction to VPN: Introduction to PPTP -- point-to-point tunneling protocol. Computer Networking. Retrieved May 20, 2003 from http://www.compnetworking.about.com/library/weekly/ aa030103a.htm.
Odhner, N., & Traeger, C. (2003, March 4). Developing site-to-site VPNs. Faulkner.com. Retrieved May 7, 2003, from http://www.faulkner.com/products/faccts/00016931.htm.
Perlmutter, B. & Zarkower, J. (2000). Virtual private networking: A view from the trenches. Upper Saddle River: Prentice Hall.
Toffel,
C. (2001). Why IP virtual private networks? Six key benefits. IDC
Executive Brief. Retrieved
May 18, 2003, from http://www1.avaya.com/enterprise/whitepapers/
2968_web.pdf.
Tyson, J. (2003). How virtual private networks work. Howstuffworks.com. Retrieved on May 7, 2003 from http://www.computer.howstuffworks.com/vpn.htm/printable
Attachment A: Private Network vs. VPN Graphic
Attachment B: Lab Setup 
