This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
The concept of using a public network to connect two geographically distant networks into a single logical network is called Virtual Private Network. It also provides encryption and tunnelling for secure data transfer.
VPNs can be layered on top of networks (topologies) in different ways. The three commonly used VPN Topologies are:
1.1 - Host - Host
In this type of topology, two hosts are connected via Ethernet to a LAN, which is connected to the Internet. Two hosts are either connected by leased lines or a dial-up connection, which are susceptible to all kinds of network attacks. VPNs can be used to safeguard the data by establishing a secure tunnel which authenticates and protects packet transfers for two geographically dispersed workstations.
Working of IPSec: Using IPSec, the packets are encrypted using a symmetric key algorithm (3DES) and encapsulated by the Encapsulated Security Payload sub-protocol. Another sub-protocol Authentication Header computes a cryptographic checksum and hashes the IP packet header fields. The hash is added to another header which is used for authentication.
The tunnel is created by the L2TP from one host to other host passing through their respective gateways. The sender's encapsulated packets reach the destination where the header is checked for authenticity and then follows the decryption.
An example of this would be the banking server's synchronization between two different branches. It is usually implemented when there is host-host communication and a LAN-LAN VPN involves a lot of overhead and additional hardware costs. Being software-implemented this is a very efficient and an effective solution.
Software implemented hence cheaper and efficient
Tunnel being established from host, unsafe host-gateway transfers are avoided.
Network - Network VPN can be avoided and the hardware costs are saved.
Only supports IP based protocols
1.2 - Host - Network
When a remote host wants to connect to a corporate network over the Internet it acquires this topology. The host sends a request for a tunnel establishment to the network, the network checks for authentication of the user and then a VPN is created. Host-Network VPNs are also known as Remote Access VPNs.
Perceived ConnectionRemote Access VPNs facilitate the mobility and productivity by providing Layer 3 connectivity to a network. With the advent of high speed Internet connectivity, DSL and cable modem technologies remote users can set up secure access to their organization's network.
RAVPN's infrastructure consists of VPN client and VPN concentrator.
VPN clients can be a software or hardware based. Software based client run the remote user's computer. Example of hardware based is the CISCO 827 VPN Router.
VPN concentrators are used to terminate the inbound RAVPN connections from clients. They also provide LNS/PNS services for VPDN.
RAVPN has seen a lot of improvement from Layer 2 VPDN to more flexible Layer 3 IPSec and Layer 4 SSL and TLS implementations for providing more secure transfer of data.
Flexible and Productive
Secure data exchanges by using Layer 3 and Layer 4 technologies.
Unpredictable number of connections
No access to other users
VPN Topologies significantly depend on their underlying architecture. The VPN architecture that is implemented on this topology is Access VPN.
Access VPN: Before VPN's came into existence remote users used the Public Switched Telephone Network (PSTN). With Access VPN, the user needs PSTN only to connect to ISP' NAS (a.k.a. Point of Presence), and the ISP forwards the users to the corporate network.
The two types of Access VPNs are:
It works in two-tiers. The client-software uses PPP and connects to the ISP's NAS. Then using the L2TP or PPTP a tunnel is created from user's PC direct to the Access Server. The tunnel spanning from the remote user till the company's Server is encrypted.
A direct tunnel is established.
Remote user can use any number of ISPs to connect.
VPN can span several ISPs.
Enforcement of the company's security policies becomes difficult.
No scalability, only one connection at a time.
ISP provides the IP; hence private address like RFC 1597 is ineligible.
Administrative problems by large scale use of client-software.
Hardware/Software should be IPSec compatible.
Network-Access Server (NAS) Initiated VPN
The user connects to the ISP's NAS through an unencrypted PPP connection and the NAS establishes an encrypted connection to the company's Access Server. Since the tunnel starts from the NAS, it is called NAS Initiated VPN.
Administration is easier with no specific client-software.
Initiation of multiple VPNs simultaneously.
Local user authentication.
NAT provides private address.
Complicated network design.
Unencrypted data between user and NAS is unsafe.
ISP services cannot be used from anywhere.
1.3 - Network - Network (Site-to Site VPN)
IPSec tunnel over routed links
It is said to exist when we connect two geographically distant networks over the Internet so that they appear to be on the same home network. It could be a simple encrypted link between two nodes of different networks in a point-to-point connection or a complex initiation and termination of the VPN tunnel to a firewall or VPN concentrator on each network. Private networks use RFC 1918 and hence the addresses are not routable, by creating a tunnel, VPN behaves as a router and hence the two networks can communicate without any configuration issues.
IPSec tunnel over point-point links
The advantage of this topology is that it can be optimised. If the WAN router is small, processing IPSec on VPN concentrators significantly increases the performance of the VPN. If VPN concentrators are lacking in some features to process the IPSec then we can use point-to-point tunnel. This flexibility exists because these VPNs operate at Layer 3. Hence, VPNs are no longer stuck to bulk data-link layer encryption and can tunnel through a series of routed networks.
VPNs also secure traffic within the organization. The new-age routers and switches have become capable of carrying out cryptographic operations. Intranet VPN is an example of that type of VPN architecture.
These use the Internet which relies on a part of the ISP's private infrastructure. They have already overtaken expensive technologies like Frame Relay, T1 or T3 and ATM by setting up secure tunnels at local routers.
For a confidential, secure communication of sensitive data between organizations another type of VPN architecture is used called the Extranet VPN.
Extranets allow remote access outside the company's internal network. The client company is given a digital certificate by a certification authority and using this, a secure tunnel to the corporate network is established. The clients may set-up static-IP address or use the Internet Key Exchange protocol for dynamic IP addressing. CA checks the credentials and authorizes the client into the corporate network. Extranet VPN also called as "Extended enterprise extranet connectivity".
More Complex Topologies
VPNs also closely relate to the topologies of some non-virtual networks. Some of the complex cases are:
1.4 - Star Topology
This kind of topology is said to exist when the remote hosts connect via a VPN concentrator (central node). In this the VPN concentrator establishes a secure tunnel to each of the remote hosts. If two hosts say A and B want to communicate, the data sent from A passes through VPN concentrator and then to the host B. The concentrator can support simultaneous connections. The drawback is even if the hosts are close to each other; they have to communicate via central node.
Single Maintenance, hence ease of maintenance.
Single-Point Access Control and Accounting
Single Point of Failure
Division of the processing power of concentrator for each new connection
Scalability is dependent of throughput of concentrator
No intercommunication between hosts.
1.5 - Mesh Topology
Similar to their WAN configuration, these can be either fully meshed or partially meshed. This kind of topology is created when each node in a network is connected to every other node in another network by a secure tunnel. Fully meshed configuration has a large number of alternative paths but also suffers from redundancy. Partial-Mesh overcomes this drawback by having an organized number of inter-links. They create a wireframe of interconnections. It overcomes the drawbacks of Star Topology.
Elimination of Single Point of Failure
Performance independent of single node
Difficulty in scalability (adding new nodes)
Requirement of greater processing power of nodes
Lacks a centralized authentication access point
Expensive as each link needs a VPN device
1.6 - Hub-and-Spoke Topology
The design of this topology is similar to that of Star Topology. The major difference being that in Star Topology the hosts could not access each other, but in hub-and-spoke topology the hosts can access each other. The central node just behaves as a transit channel in the network; the sender's incoming data is decrypted, inspected and re-encrypted for transmission to destination host.
Single Configuration Point
Ease of Maintenance
Single Point Access Control and Accounting
Can communicate with other hosts
Single Point of Failure
Large overhead at the central node during communication between hosts
Scalability drastically effects the performance of central node
Each new connection affects the central node's processing power.
2.0 - Difference between VPN and Firewall
Encrypts traffic to clients/networks
Allows/Restricts traffic to/from a network
Creates a tunnel for safe data exchange
Protects one network from the other.
It filters users on the basis of credentials
It filters on basis of protocols, packets, ports, domain names and specific words/phrases
Needs a medium like Internet/PSTN to exist
It filters the medium
Encrypts the data and transfers via a tunnel
Checks the packets header and if placed after the VPN checks the packet also
Can spread to several LANs
Connected to a specific network
Have architecture and topology
Have architecture but no topology
Layer of OSI
At Data-Link Layer(L2F, L2TP and PPTP), Network Layer(MPLS, L2TPv3, IPSec) and Transport Layer(SSL and TLS)
Either at Network Layer or Transport Layer
Usually implemented on firewall, positioning either before or after the firewall significantly changes performance.
Strategic position of firewall is very significant
Performance depends on the Internet connectivity
Independent of the Internet Connectivity
3.0 - Unplanned VPN Enterprise Use: Risks
Deployment of a VPN involves a high-level of knowledge and a deep insight into major factors involving network security. This includes stringent and sophisticated methods for authentication and encryption. Encryption of network addresses also adds to the security factor. To carry these tasks successfully needs great planning and necessary precautions, failing which can compromise the whole network.
Remote User: Remote users who run unchecked applications on their computers connect to the office VPN which can compromise its security.
Solution: Providing telecommuters with company-owned computers which can be monitored as to which applications are permissible and to be used solely for organization's work. An updated anti-virus and firewall should also be present.
Shortage of adequate bandwidth during transactions is another significant risk involved with a VPN. The notion of connecting more users across the Internet ultimately eats into the bandwidth thereby affecting every single user.
Solution: By providing guaranteed bandwidth at any load is an obvious option but it drastically increases the cost of the system. It is pragmatic to be implemented by companies which rely heavily on day-day transactions.
VPN usually are designed to accommodate IP applications which are highly reliable and work at low latencies. In the present scenario many applications run real-time and demand high levels of latency. Although some applications have been tested positive for adapting to this new latency levels, many others ended up making the application use go awry. This affects the Quality of Standard factor.
Solution: The IETF's is developing the Multi-Protocol Label Switching (MPLS) which will ensure QoS.
When many networks are to be connected by a VPN it is possible that different VPN technologies may be used for the setup. These are made by different VPN vendors following different standards and many compatibility and configuration issues may arise.
Solution: Assembling VPN solely from one vendor to avoid interoperability issues.
VPNs are dependent on Internet; hence availability of Internet at all times is definitely something to think about.
Solution: Should checks for availability of nearby Point-of-Presence (POPs) before connecting to the VPN.
The functioning and performance of a company's wide area VPN isn't necessarily completely dependent on itself. There are many other factors which influence the efficiency of the VPN.
Solution: Taking into account all these factors when planning a VPN.
Configuring VPN without external review may lead to wrong implementation of VPN.
Solution: The design and configuration must be reviewed by network administrators and related parties before implementation, as this helps finding out bugs.
Poor documentation of the changes made to the infrastructure.
Solution: Using discovery tools to map the network.
Faulty key management strategy. There is a seed key which initializes the VPN and is responsible for the security of all other host keys and gateway keys. If this is lost, the whole infrastructure is compromised.
Solution: Provision for automatic/manual key change, securing the revocation certificate and reviewing the cipher algorithm.
Fitting the VPN into the present network architecture. Not many VPNs handle non-IP packets.
Solution: Finding out which VPN is compatible to your network and implementing that VPN.
Hidden Costs are there in setting up VPN, like adding capacity, installation charges, hardware replacement costs, etc.,
Solution: Detailed planning of the costs is required and understanding that the savings on VPN only start if there are no issues and it is running smoothly.
Managing the VPN, like authentication and key management for large number of users.
Solution: User authentication can be set up by remote authentication server. Key management requires relationship with a Certifying Authority.
These are some of the risks/issues which need to be taken care of while planning a VPN.
4.0 - Conclusion
The following have been covered in the present assignment. Firstly a brief definition of VPN is given. The various topologies such as host-host, host-network, network-network, star, mesh, hub-and-spoke are discussed in detail. The topologies' advantages and disadvantages are also discussed.
The second part covers the differences between firewall and VPN with reference to various parameters.
The third part discusses in detail the risks which arise when we use a VPN with prior planning.