Virtual Private Network real time scenario implementation for ...Presentation Transcript
Virtual Private Network real time scenario implementation for Sun Infosys Ltd. EE249 Network Project Preparation Rashid Yunus Khan ID: 03020935 Email: [email_address] Supervisor: Prof Algirdas Pakstas Supervisor Email: [email_address] Computing, Communications Technology and Mathematics London Metropolitan University 166-220 Holloway Road London N7 8DB
2) Introduction – Motivation & Background
3) Project Aims & Objectives
4) Work done by others
5) Possible Methods of Achieving the Objectives
6) Literature Search
7) Project Plan & Charts
9) List of References
This project will provide an introduction, research, theory, analysis, solutions & real time implementation and study of Virtual Private Networking for Sun Infosys Ltd. It also will provide a structure of content of this document. It will consist of various concepts, theories and main terminology to understand and implement a Virtual Private Network.
Chapter 2 (Introduction) Chapter 3 (Project Aims & Objectives) will show the aims and objectives of the project.
Chapter 4 (Work done by others)
Chapter 5 (Possible Methods of Achieving the Objectives)
In Chapter 6 & 7 (Literature Search, Project Plan & Charts)
In Chapter 8 (Conclusions)
In Chapter 9 ( List of References)
This documentation is a project proposal by myself , a final year undergraduate student in BSc Hons. in Computer Networking . The chosen topic for this project is real time Virtual Private Networking implementation for Sun InfoSys Ltd .
The motivation behind this project for me is not only to enhance my knowledge of a complex but very rewarding and currently hot technology of Virtual Private Networking for an existing company called Sun InfoSys Ltd. but to actually implement this project in that company. This can bear fruit for me in the form of possible future job prospect in this company.
Also In this project, I will also be developing an online website covering this report that will be available with this documentation and will publish the web address within the conclusion of this report.
Previously I actually have worked for several years as a Network Engineer in Pakistan for several companies and actually have designed, implemented and trouble-shooted complex networks.
I have also worked as a web developer and developed several websites for clients in Pakistan. Clearly I have great interest in the field of Networking and this is the sole reason for me taking up this degree to further my knowledge and career within this field.
3. Project Aims & Objectives
Sun Infosys Ltd. has a business of not only computer hardware but software and CCTV systems as well. Because of the varied systems there was a need for convergence and also availability so that the resources can be tapped and checked from virtually everywhere as the sales team and director is mostly mobile . This need coupled with the popularity of VPN systems gave me a chance to offer myself for this project and offer a solution to their problems. Sun Infosys Ltd. gladly accepted my offer.
The aims and objectives of this project is that to make proposals that will allow me to investigate the best method and solution of implementing a Virtual Private Network for Sun InfoSys Ltd. between its Head Office, Branch office and to provide connectivity to its Managing Director, Sales team various Installers and Site Engineers requiring access to various resources.
The sales team need to commute to various organizations to give presentations and also to convince potential clients, they frequently require on the move connections to resources such as sales figures, Sage, presentations , Technical Data and live demos and IP Based demonstrations if their digital CCTV systems .
The Support team and various installers and engineers require on the move access to technical resources, software, patches, and contact information from the company & Sage and when visiting client locations varied anywhere in London currently.
After analyzing this company’s needs and objectives I have genuinely come to think that Virtual Private Networking possibly might offer the solution this company so desperately needs.
key topics for research for Virtual Private Networking:
1.1 What is VPN?
1.2 What Makes a VPN?
1.3 Types of VPN
1.4 Remote-Access VPN
1.5 Site-to-Site VPN
1.6 Extranet VPN
1.7 VPN Security
1.11 AAA Servers
1.12 VPN Technologies
1.13 VPN Concentrator
1.14 VPN-Optimized Router
1.15 Cisco Secure PIX Firewall
1.17 Carrier protocol
1.18 Encapsulating protocol
1.19 Passenger protocol
1.20 Tunneling: Site-to-Site
1.21 Tunnelling: Remote-Access
1.22 L2F (Layer 2 Forwarding)
1.23 PPTP (Point-to-Point Tunneling Protocol)
1.24 L2TP (Layer 2 Tunneling Protocol)
Work Done By others
PPTP – Point to Point Tunnelling Protocol
L2F – Layer 2 Forwarding
L2TP – Layer 2 Tunnelling Protocol
IPSec – IP Security Protocol
Possible methods of achieving the Objectives:
When I analyzed the problem I saw two problems instead of one! First convergence and second being remote availability. However these are two separate problems but they can actually be addressed by just one solution. Virtual Private Networking!
Virtual Private Networking offers scalability, remote availability and eventually offers convergence as well. How does VPN offer convergence? You might ask? Well let’s take Sun Infosys Ltd’s Scenario. They have CCTV systems which are currently offline systems, PC hardware assembling and sales. By leveraging VPN the offline CCTV systems can be linked to the internet and intranet eventually and effectively making the CCTV systems ONLINE system, the PC assembling department has to go through various procedures such as hardware procurement, supplier chain management, stock, sales, dispatch, returns, technical support and marketing. All these aspects can be brought together via a single either online system or networked system in both cases VPN again is the answer bridging the gap.
1. Hardware Based Solutions:
For hardware based solutions, various tools and devices are available by a number of vendors, these include Cisco as the foremost mentioned, Sonicwall, Shiva etc. The list is endless. These are VPN enabled / pass through routers, VPN Concentrators, VPN Optimized Routers, VPN Firewalls etc.
2. Software Based Solutions:
For software based solutions there are numerous products in the market each catering to all the needs of any kind of scenario. The good side about software based solutions is that they are very much customizable and upgradeable, scaleable. The bad point is that they are prone to fallouts, attacks, viruses, and performance issues.
Software based solutions are best offered by the software giant Microsoft, Then Symantec, Check point software, Cisco and many others.
3. Protocol Selection
When talking about protocol selection for a VPN implementation I have to take into account Sun InfoSys Ltd’s existing infrastructure, scale of the company, the costs and budget.
Keeping in view of the above factors Sun InfoSys is a small to medium sized organizarion and in my view the best protocol to go for would be IPSec, with IPSec to IPSec implementation, given its various qualities which is discussed and researched further in the proposal.
When talking about software based solutions a point to note is that they are all platform dependent. Hence they can incur overhead costs and expensive expertise to pay for installation and or management.
What is VPN?
A VPN is a generic term that describes any combination of technologies that can be used to secure a connection through an otherwise unsecured or untrusted network.
[ VPN is one of the most used words in networking today and has many different meanings.
The broadest definition of a VPN is 'any network built upon a public network and partitioned for use by individual customers'. This results in public frame relay, X.25, and ATM networks being considered as VPNs. These types of VPNs are generically referred to a Layer 2 VPNs. The emerging form of VPNs are networks constructed across shared IP backbones, referred to as 'IP VPNs'. ]
Basically a VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, real-world connection such as leased line, a VPN uses "virtual" connections routed through the Internet from the company's private network to the remote site or employee.
What Makes a VPN?
A well-designed VPN can greatly benefit a company. For example, it can:
Extend geographic connectivity
Reduce operational costs versus traditional WAN
Reduce transit time and transportation costs for remote users
Simplify network topology
Provide global networking opportunities
Provide telecommuter support
Provide broadband networking compatibility
Provide faster ROI (return on investment) than traditional WAN
A well-designed VPN should have the following features:
[ Remote Access VPNs provide remote access to a corporate Intranet or extranet over a shared infrastructure with the same policies as a private network. Access VPNs enable users to access corporate resources whenever, wherever, and however they require. Access VPNs encompass analog, dial, ISDN, digital subscriber line (DSL), mobile IP, and cable technologies to securely connect mobile users, telecommuters, or branch offices. ]
Remote-access, also called a virtual private dial-up network (VPDN), is a user-to-LAN connection used by a company that has employees who need to connect to the private network from various remote locations. Normally, a company that wishes to set up a large remote-access VPN will outsource to an enterprise service provider (ESP). The ESP sets up a network access server (NAS) and provides the remote users with desktop client software for their computers. The telecommuters can then dial a Low Call or Free number (0800, 0500 etc) to reach the NAS and use their VPN client software to access the corporate network.
[ Site-to-Site VPNs are an alternative WAN infrastructure that used to connect branch offices, home offices, or business partners' sites to all or portions of a company's network. VPNs do not inherently change private WAN requirements, such as support for multiple protocols, high reliability, and extensive scalability, but instead meet these requirements more cost-effectively and with greater flexibility. ]
A company can connect multiple fixed sites over a public network such as the Internet through the use of dedicated equipment and large-scale encryption. Site-to-site VPNs can be one of two types:
Intranet-based - If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect LAN to LAN.
Extranet-based - When a company has a close relationship with another company (for example, a partner, supplier or customer), they can build an extranet VPN that connects LAN to LAN, and that allows all of the various companies to work in a shared environment.
[ Extranet VPNs link customers, suppliers, partners, or communities of interest to a corporate Intranet over a shared infrastructure using dedicated connections. Businesses enjoy the same policies as a private network, including security, QoS, manageability, and reliability. ]
* See reference section for resource detail.
A well-designed VPN uses several methods for keeping your connection and data secure:
4) AAA Server
[ (fīr´wâl) (n.) A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. ]
Packet filter: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.
Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose performance degradation.
Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.
Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.
[ The translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text ; encrypted data is referred to as cipher text. ]
Encryption is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. Most computer encryption systems belong in one of two categories:
In symmetric-key encryption , each computer has a secret key (code) that it can use to encrypt a packet of information before it is sent over the network to another computer. One should know that which computers will be talking to each other so the key can be installed on each computer. Symmetric-key encryption is essentially the same as a secret code that each of the two computers must know in order to decode the information. The code provides the key to decoding the message. This can be further understood by a simple example: you create a coded message to send to a friend in which each letter is substituted with the letter that is two down from it in the alphabet. So "A" becomes "C," and "B" becomes "D". You have already told a trusted friend that the code is "Shift by 2". Your friend gets the message and decodes it. Anyone else who sees the message will see only nonsense.
Public-key encryption uses a combination of a private key and a public key. The private key is known only to our computer, while the public key is given by our computer to any computer that wants to communicate securely with it. To decode an encrypted message, a computer must use the public key, provided by the originating computer, and its own private key. A very popular public-key encryption utility is called Pretty Good Privacy (PGP), which allows to encrypt almost anything.
[ Short for IP Security, a set of protocols developed by the IETF to support secure exchange of packets at the IP layer. IPsec has been deployed widely to implement Virtual Private Networks (VPNs). ]
Internet Protocol Security Protocol (IPSec) provides enhanced security features such as better encryption algorithms and more comprehensive authentication.
IPSec has two encryption modes: tunnel and transport. Tunnel encrypts the header and the payload of each packet while transport only encrypts the payload. Only systems that are IPSec compliant can take advantage of this protocol. Also, all devices must use a common key and the firewalls of each network must have very similar security policies set up. IPSec can encrypt data between various devices, such as:
· Router to router
· Firewall to router
· PC to router
· PC to server
4) AAA Servers
[ Short for authentication, authorization and accounting, a system in IP-based networking to control what computer resources users have access to and to keep track of the activity of users over a network. ]
AAA (authentication, authorization and accounting) servers are used for more secure access in a remote-access VPN environment. When a request to establish a session comes in from a dial-up client, the request is proxied to the AAA server. AAA then checks the following:
· Who you are (authentication)
· What you are allowed to do (authorization)
· What you actually do (accounting)
Depending on the type of VPN (remote-access or site-to-site), certain components will need to be put in place to build the VPN. These might include:
· Desktop software client for each remote user
· Dedicated hardware such as a VPN concentrator or secure PIX firewall
· Dedicated VPN server for dial-up services
· NAS (network access server) used by service provider for remote-user VPN access
· VPN network and policy-management center
Because there is no widely accepted standard for implementing a VPN, many companies have developed turn-key solutions on their own.
Incorporating the most advanced encryption and authentication techniques available, Cisco VPN concentrators are built specifically for creating a remote-access VPN. They provide high availability, high performance and scalability and include components, called scalable encryption processing (SEP) modules, which enable users to easily increase capacity and throughput. The concentrators are offered in models suitable for everything from small businesses with up to 100 remote-access users to large organizations with up to 10,000 simultaneous remote users.
Cisco's VPN-optimized routers provide scalability, routing, security and QoS (quality of service). Based on the Cisco IOS (Internet Operating System) software, there is a router suitable for every situation, from small-office/home-office (SOHO) access through central-site VPN aggregation, to large-scale enterprise needs.
Cisco Secure PIX Firewall
Cisco PIX Firewall is a really technology, the PIX (private Internet exchange) firewall combines dynamic network address translation, proxy server, packet filtration, firewall and VPN capabilities in a single piece of hardware.
Instead of using Cisco IOS, this device has a highly streamlined OS that trades the ability to handle a variety of protocols for extreme robustness and performance by focusing on IP.
[ (tun´&l-ing) (n.) A technology that enables one network to send its data via another network's connections. Tunneling works by encapsulating a network protocol within packets carried by the second network. For example, Microsoft's PPTP technology enables organizations to use the Internet to transmit data across a VPN. It does this by embedding its own network protocol within the TCP/IP packets carried by the Internet. ]
Most VPNs rely on tunneling to create a private network that reaches across the Internet. Essentially, tunneling is the process of placing an entire packet within another packet and sending it over a network. The protocol of the outer packet is understood by the network and both points, called tunnel interfaces, where the packet enters and exits the network.
Carrier protocol - The protocol used by the network that the information is traveling over
Encapsulating protocol - The protocol (GRE, IPSec, L2F, PPTP, L2TP) that is wrapped around the original data
Passenger protocol - The original data (IPX, NetBeui, IP) being carried
To explain and simplify the process of Tunneling I will give an example: It’s like having a Mobile phone delivered by Royal Mail. The Mobile Phone Company packs the Mobile Phone (passenger protocol) into a box (encapsulating protocol) which is then put on a Royal Mail delivery truck (carrier protocol) at the Mobile Phone Company’s warehouse (entry tunnel interface). The truck (carrier protocol) travels over the Motorways (Internet) to customer’s home (exit tunnel interface) and delivers the Mobile Phone. The customer opens the box (encapsulating protocol) and removes the Mobile Phone (passenger protocol). That’s called Tunneling. Simple!
Tunneling has several nice uses for VPNs. For example, a packet that uses a protocol not supported on the Internet (such as NetBeui) can be placed inside an IP packet and sent safely over the Internet. Or a packet that uses a private (non-routable) IP address can be put inside a packet that uses a globally unique IP address to extend a private network over the Internet.
In a site-to-site VPN, GRE (generic routing encapsulation) is normally the encapsulating protocol that provides the framework for how to package the passenger protocol for transport over the carrier protocol, which is typically IP-based. This includes information on what type of packet is being encapsulated and information about the connection between the client and server. Instead of GRE, IPSec in tunnel mode is sometimes used as the encapsulating protocol. IPSec works well on both remote-access and site-to-site VPNs. IPSec must be supported at both tunnel interfaces to use.
In a remote-access VPN, tunneling normally takes place using PPP. Part of the TCP/IP stack, PPP is the carrier for other IP protocols when communicating over the network between the host computer and a remote system. Remote-access VPN tunneling relies on PPP.
Each of the protocols listed below were built using the basic structure of PPP and are used by remote-access VPNs.
L2F (Layer 2 Forwarding)
[ Often abbreviated as L2F, a tunneling protocol developed by Cisco Systems. L2F is similar to the PPTP protocol developed by Microsoft, enabling organizations to set up virtual private networks (VPNs) that use the Internet backbone to move packets. ]
Developed by Cisco, L2F will use any authentication scheme supported by PPP.
PPTP (Point-to-Point Tunneling Protocol)
[ Short for Point-to-Point Tunneling Protocol, a new technology for creating Virtual Private Networks (VPNs) , developed jointly by Microsoft Corporation, U.S. Robotics, and several remote access vendor companies, known collectively as the PPTP Forum. A VPN is a private network of computers that uses the public Internet to connect some nodes. Because the Internet is essentially an open network, the Point-to-Point Tunneling Protocol (PPTP) is used to ensure that messages transmitted from one VPN node to another are secure. With PPTP, users can dial in to their corporate network via the Internet. ]
PPTP was created by the PPTP Forum, a consortium which includes US Robotics, Microsoft, 3COM, Ascend and ECI Telematics. PPTP supports 40-bit and 128-bit encryption and will use any authentication scheme supported by PPP.
L2TP (Layer 2 Tunneling Protocol)
[ Short for Layer Two (2) Tunneling Protocol, an extension to the PPP protocol that enables ISPs to operate Virtual Private Networks (VPNs). L2TP merges the best features of two other tunneling protocols: PPTP from Microsoft and L2F from Cisco Systems. Like PPTP, L2TP requires that the ISP's routers support the protocol. ]
L2TP is the product of a partnership between the members of the PPTP Forum, Cisco and the IETF (Internet Engineering Task Force). Combining features of both PPTP and L2F, L2TP also fully supports IPSec.
L2TP can be used as a tunneling protocol for site-to-site VPNs as well as remote-access VPNs. In fact, L2TP can create a tunnel between:
· Client and router
· NAS and router
· Router and router
What is MPLS?
MPLS stands for " Multiprotocol Label Switching ". In an MPLS network, incoming packets are assigned a " label " by a " label edge router ( LER )". Packets are forwarded along a " label switch path (LSP) " where each " label switch router (LSR) " makes forwarding decisions based solely on the contents of the label. At each hop, the LSR strips off the existing label and applies a new label which tells the next hop how to forward the packet.
Label Switch Paths (LSPs) are established by network operators for a variety of purposes, such as to guarantee a certain level of performance, to route around network congestion, or to create IP tunnels for network-based virtual private networks. In many ways, LSPs are no different than circuit-switched paths in ATM or Frame Relay networks, except that they are not dependent on a particular Layer 2 technology.
An LSP can be established that crosses multiple Layer 2 transports such as ATM, Frame Relay or Ethernet. Thus, one of the true promises of MPLS is the ability to create end-to-end circuits, with specific performance characteristics, across any type of transport medium, eliminating the need for overlay networks or Layer 2 only control mechanisms.
Project Plan and charts:
1) Performance needs of the remote applications
2) IP Address Planning
3) ISP Evaluation
4) Planning Firewall Policy Changes (if VPN Server is behind firewall)
5) Remote VPN Implementation Issues
6) Remote Branch Office Considerations
7) Using Microsoft Networking with Remote VPN
8) ISP Evaluation
9) Integration into the Corporate Network
10) Performance Considerations
11) Project time frame
12) Beta testing
13) Final rollout
14) Project Windup
After meeting With Mr. Andy the managing director, with sales, support and technicians and visiting both head office and branch office, taking inventory of existing hardware, computer systems, software inventory, budget time frame required. I have come to conclude that not only will this company benefit enormously with a Virtual Private Network but also already have the infrastructure in place. They already have Windows Server 2003 installed and configured and really its just a matter of installing Microsoft’s ISA server 2004 and using it to its full potential. Of course they will require VPN pass through router upgrades, higher bandwidth to the VPN server, broadband infrastructure improvements, IP address schemes, VPN client software and Staff training. All of this can be easily achieved as the company staff is highly technical and the company already is a computer hardware vendor so hardware procurement should not be a major issue. I am sure I will be able to install and implement this project well before time.