This ppt show the very fundamental aspects of VPN(Virtual Private Networks) and show why it is used and its associated benefits. Also show characteristics, Tunneling, Encapsulation, etc.
Overview of VPN protocols.
VPNs (Virtual Private Networks) are often viewed from the perspective of security with the goal of providing authentication and confidentiality.
However, the primary purpose of VPNs is to connect 2 topologically separated private networks over a public network (typically the Internet).
VPNs basically hook a network logically into another network so that both appear as one private local network.
Security is a possible add-on to VPNs. In many cases it makes perfectly sense to secure the VPNs communication over the unsecure public network.
VPN protocols typically employ a tunnel where data packets of the local network are encapsulated in an outer protocol for transmission over the public network.
The most important VPN protocols are IPSec, PPTP and L2TP. In recent years SSL/TLS based VPNs such as OpenVPN have gained widespread adoption.
VPN as the Key for a Successful MSP BusinessSafar Safarov
Â
“VPN as the Key for a Successful MSP Business” is a Tactical eHandbook that reveals Virtual Private Networks as the tactics of a successful delivering of managed services and presupposes that you are an IT Services Provider whose strategy is delivering of managed services already. Please be aware that Virtual Private Networks are considered in the eHandbook as a way of delivering of managed services, but not as a service itself.
Beyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoamingKarri Huhtanen
Â
A presentation at FUNET Technical Days 2021 about research projects combining (5G) SIM authentication to eduroam Finland and ongoing work and benefits with OpenRoaming global Wi-Fi roaming in roam.fi or eduroam Finland networks.
AnyConnect Gateway protects enterprise networks from attacks with topology hiding and provides secure delivery of SIP, voice, and video conferencing services. AnyConnect Gateway supports TLS encryption for secure SIP signaling and SRTP encryption and VPN connections for secure data transport with confidentiality, message authentication, and replay protection. Together these protocols protect voice, video conferencing, and unified communications from eavesdroppers, hackers and spoofers.
There are different dimensions for scalability of a distributed storage system: more data, more stored objects, more nodes, more load, additional data centers, etc. This presentation addresses the geographic scalability of HDFS. It describes unique techniques implemented at WANdisco, which allow scaling HDFS over multiple geographically distributed data centers for continuous availability. The distinguished principle of our approach is that metadata is replicated synchronously between data centers using a coordination engine, while the data is copied over the WAN asynchronously. This allows strict consistency of the namespace on the one hand and fast LAN-speed data ingestion on the other. In this approach geographically separated parts of the system operate as a single HDFS cluster, where data can be actively accessed and updated from any data center. The presentation also cover advanced features such as selective data replication.
Extended version of presentation at Strata + Hadoop World. November 20, 2014. Barcelona, Spain.
http://strataconf.com/strataeu2014/public/schedule/detail/39174
This ppt show the very fundamental aspects of VPN(Virtual Private Networks) and show why it is used and its associated benefits. Also show characteristics, Tunneling, Encapsulation, etc.
Overview of VPN protocols.
VPNs (Virtual Private Networks) are often viewed from the perspective of security with the goal of providing authentication and confidentiality.
However, the primary purpose of VPNs is to connect 2 topologically separated private networks over a public network (typically the Internet).
VPNs basically hook a network logically into another network so that both appear as one private local network.
Security is a possible add-on to VPNs. In many cases it makes perfectly sense to secure the VPNs communication over the unsecure public network.
VPN protocols typically employ a tunnel where data packets of the local network are encapsulated in an outer protocol for transmission over the public network.
The most important VPN protocols are IPSec, PPTP and L2TP. In recent years SSL/TLS based VPNs such as OpenVPN have gained widespread adoption.
VPN as the Key for a Successful MSP BusinessSafar Safarov
Â
“VPN as the Key for a Successful MSP Business” is a Tactical eHandbook that reveals Virtual Private Networks as the tactics of a successful delivering of managed services and presupposes that you are an IT Services Provider whose strategy is delivering of managed services already. Please be aware that Virtual Private Networks are considered in the eHandbook as a way of delivering of managed services, but not as a service itself.
Beyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoamingKarri Huhtanen
Â
A presentation at FUNET Technical Days 2021 about research projects combining (5G) SIM authentication to eduroam Finland and ongoing work and benefits with OpenRoaming global Wi-Fi roaming in roam.fi or eduroam Finland networks.
AnyConnect Gateway protects enterprise networks from attacks with topology hiding and provides secure delivery of SIP, voice, and video conferencing services. AnyConnect Gateway supports TLS encryption for secure SIP signaling and SRTP encryption and VPN connections for secure data transport with confidentiality, message authentication, and replay protection. Together these protocols protect voice, video conferencing, and unified communications from eavesdroppers, hackers and spoofers.
There are different dimensions for scalability of a distributed storage system: more data, more stored objects, more nodes, more load, additional data centers, etc. This presentation addresses the geographic scalability of HDFS. It describes unique techniques implemented at WANdisco, which allow scaling HDFS over multiple geographically distributed data centers for continuous availability. The distinguished principle of our approach is that metadata is replicated synchronously between data centers using a coordination engine, while the data is copied over the WAN asynchronously. This allows strict consistency of the namespace on the one hand and fast LAN-speed data ingestion on the other. In this approach geographically separated parts of the system operate as a single HDFS cluster, where data can be actively accessed and updated from any data center. The presentation also cover advanced features such as selective data replication.
Extended version of presentation at Strata + Hadoop World. November 20, 2014. Barcelona, Spain.
http://strataconf.com/strataeu2014/public/schedule/detail/39174
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection CenterDsunte Wilson
Â
Protection Center lets you manage Symantec Endpoint Protection together with other Symantec products in a single environment. Symantec Endpoint Protection is integrated with Protection Center by means of a series of Web services.
These Web services provide communication between the Symantec Endpoint Protection Manager server and the Protection Center server.
For the first time I am here to cover all CCNA tracis in this Cisco CCNA Certification Exams presentation using the attractive ways.
For those who are not familiar with cisco ccna tracks can find all information about all Cisco CCNA tracks and there exams. I've also covered preparation resources for every exam.
We have covered the following Topics in this Presentation:
CCDA
CCNA Routing and Switching
CCNA Data Center
CCNA Security
CCNA Service Provider
CCNA Video
CCNA Voice
CCNA Wireless
if your are always confused about ip tunneling L2/L3 tunneling ipsec acces vpn u have to come to right place This presentation in pdf will get you started on right path towards tunnling concept & implementaion
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Â
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Â
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
Â
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Â
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
Â
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Â
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
DevOps and Testing slides at DASA ConnectKari Kakkonen
Â
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
17. IPSec VPN Client Operation Remote User with IPSec Client Home Gateway Router Home Network Certificate Authority/ AAA Public Network Exchange X.509 or One-Time Password Secure Tunnel Established Encrypted Data flows Dial Access to Corporate Network IKE Negotiation Authentication Approved
18.
19.
20.
21.
22. VPNs and Quality of Service Voice Premium IP Best Effort Tunnel Conforming Traffic Packet Classification CAR Traffic Policing CAR Congestion Avoidance WRED Tunnel Layer 2TP IPSec, GRE AAA CA PBX
24. Three Types of VPNs Type Remote access VPN Application Mobile users Remote connectivity Alternative To Dedicated dial ISDN Intranet VPN Extranet VPN Site-to-site Internal connectivity Leased line Business-to-business External connectivity Fax Mail EDI Time Ubiquitous access, lower cost Benefits Extend connectivity, lower cost Facilitates e-commerce
25.
26. Access VPN Operation Overview SP Network/ Internet POP Corporate Intranet Mobile Users and Telecommuters 1. VPN identification 2. Tunnel to home gateway Security Server 3. User authentication 4. PPP negotiation with user 5. End-to-end tunnel established Home Gateway NAS
27. Access VPN Basic Components Dial Client (PPP Peer) AAA Server (RADIUS/TACACS+) ISDN ASYNC L2TP Access Concentrator AAA Server (RADIUS/TACACS +) L2TP Network Server ( Home Gateway)
32. The Intranet VPN Enterprise DMZ Web Servers DNS Server STMP Mail Relay AAA CA Remote Office Service Provider A Regional Office Potential Operations and Infrastructure Cost Savings Extends the Corporate IP Network Across a Shared WAN
33. The Extranet VPN Business Partner Enterprise DMZ Web Servers DNS Server STMP Mail Relay AAA CA Service Provider A Service Provider B Extends Connectivity to Business Partners, Suppliers, and Customers Security Policy Very Important Supplier
34.
35. Comparing the Types Intranet Access VPN NAS-Initiated Extranet Type Client-Initiated Router-Initiated X X X X X X X X
37. Health Care Company Intranet Deployment Challenge—Low-cost means for connecting remote sites with primary hospital Primary Hospital Remote Centers Remote Center Public Network Private Network
38.
39. Traditional Dialup Versus Access VPN Monthly long-distance charges per minute Avg. use per day, per user (min) Traditional Dialup Access VPN Number of users Remote access server One-time installation fee: 10 phone lines 20 $4,600 $1,000 $5,000 20 $3,000 $1,000 Number of users Access router, T1/E1, DSU/CSU, firewall VPN client software ($50/user) T1/E1 installation $0.10 90 Central site T1/E1 Intranet access Monthly ISP access ($20/user) $2,500 $400
40. Traditional Dialup Versus Access VPN Traditional Dial-Up Access VPN Number of users Remote access server One-time installation fee-10 phone lines 20 $4,600 $1,000 $5,000 20 $3,000 $1,000 Number of users Access router, T1/E1, DSU/CSU, firewall VPN client software ($50/user) T1/E1 installation One-time capital cost $4,000 One-time capital cost $10,600 Recurring cost $5,400 Recurring cost $2,900 Monthly long distance charges per minute Avg. use per day per user (min) $0.10 90 Central site T1/E1 Intranet access Monthly ISP access ($20/user) $2,500 $400
41. VPN Payback 0 $20,000 $40,000 $60,000 $80,000 1 2 3 4 5 6 7 8 9 10 11 12 Month Payback in 3 months!! Total Cost Traditional VPN
VPNs are a common topic today. Just about everyone is talking about implementing one. This module explains what a VPN is and covers the basic VPN technology. We’ll also go through some examples of VPNs including a return on investment analysis.
So, what is a VPN? Simply defined, a VPN is an enterprise network deployed on a shared infrastructure employing the same security, management, and throughput policies applied in a private network. A VPN can be built on the Internet or on a service provider’s IP, Frame Relay, or ATM infrastructure. Businesses that run their intranets over a VPN service enjoy the same security, QoS, reliability, and scalability as they do in their own private networks. VPNs based on IP can naturally extend the ubiquitous nature of intranets over wide-area links, to remote offices, mobile users, and telecommuters. Further, they can support extranets linking business partners, customers, and suppliers to provide better customer satisfaction and reduced manufacturing costs. Alternatively, VPNs can connect communities of interest, providing a secure forum for common topics of discussion.
Building a virtual private network means you use the “public” Internet (or a service provider’s network) as your “private” wide-area network. Since it’s generally much less expensive to connect to the Internet than to lease your own data circuits, a VPN may allow to you connect remote offices or employees who wouldn’t ordinarily justify the cost of a regular WAN connection. VPNs may be useful for conducting secure transactions, or transferring highly confidential data between offices that have a WAN connection. Some of the technologies that make VPNs possible are: Tunneling Encryption QoS Comprehensive security
Why should customers consider a VPN? Company information is secured VPNs allow vital company information to be secure against unwanted intrusion Reduce costs Internet-based VPNs offer low-cost connectivity from anywhere in the world, and can be considered a viable replacement for leased-line or Frame Relay services Using the Internet as a replacement for expensive WAN services can cut costs by as much as 60 percent, according to Forrester Research Also lower remote costs by connecting a mobile user over the Internet. (Often referred to as a virtual private dial-up networking, or VPDN). Wider connectivity options for users A VPN can provide more connectivity options (for example, over cable, DSL, telephone, or Ethernet) Increased speed of deployment Extranets can be created more easily (you don’t wait for suppliers). This keeps the customer in control of their own destiny. However, for an Internet-based VPN to be considered as a viable replacement for leased-line or Frame Relay service, it must be able to offer a comparable level of security, quality of service, and reliability.
The strain on today's corporate networks is greater than ever before. Network managers must continually find ways to connect geographically dispersed work groups in an efficient, cost-effective manner. Increasing demands from feature-rich applications used by a widely dispersed workforce are causing businesses of all sizes to rethink their networking strategies. As companies expand their networks to link up with partners, and as the number of telecommuters and remote users continues to grow, building a distributed enterprise becomes ever more challenging. To meet this challenge, VPNs have emerged, enabling organizations to outsource network resources on a shared infrastructure. Access VPNs in particular appeal to a highly mobile work force, enabling users to connect to the corporate network whenever, wherever, or however they require.
Scores of network managers are faced with a daunting task: connect a growing number of geographically dispersed sites to their enterprise networks while working within a limited budget. VPNs can help companies reap benefits such as dramatically lower WAN costs, improved global connectivity, and better reliability, while enabling capabilities such as secure extranet communications. Remote dial, Internet, intranet, and extranet access can all be consolidated over a single WAN connection to the Internet. VPNs are attractive to networking managers because they provide easy access to intranets, the in-house communication tools that companies are using increasingly to run their mission-critical applications. Because intranets are built on IP-based Web browsers, VPNs based on IP are required to extend their capabilities transparently, over wide-area links to remote offices, mobile workers, and telecommuters within a company, or to suppliers, business partners, and customers outside an organization. Managers are considering VPNs for other compelling reasons, too: reduced long-distance phone charges for remote access, lower operational and capital equipment costs, faster and easier connectivity, and simplified WAN administration.
The traditional drivers of network deployment are also driving the deployment of VPNs. New networked applications, such as videoconferencing, distance learning, advanced publishing, and voice applications, offer businesses the promise of improved productivity and reduced costs. As these networked applications become more prevalent, businesses are increasingly looking for intelligent services that go beyond transport to optimize the security, quality of service, management and scalability/reliability of applications end to end.
This what a VPN might look like for a company with offices in Munich, New York, Paris, and Milan.
Let’s take a look at some of the technologies that are integral to virtual private networks.
Business-ready VPNs rely on both security and QoS technologies. Let’s take a look at both of these in more detail.
Deploying WANs on a shared network makes security issues paramount. Enterprises need to be assured that their VPNs are secure from perpetrators observing or tampering with confidential data passing over the network and from unauthorized users gaining access to network resources and proprietary information. Encryption, authentication, and access control guard against these security breaches. Key components of VPN security are as follows: Tunnels and encryption Packet authentication Firewalls and intrusion detection User authentication These mechanisms complement each other, providing security at different points throughout the network. VPN solutions must offer each of these security features to be considered a viable solution for utilizing a public network infrastructure. Let’s start by looking at tunnels and encryption. We’re going to look in detail at Layer 2 Tunneling Protocol (L2TP), Generic Routing Encapsulation (GRE), for tunnel support, as well as the strongest standard encryption technologies available--- IPSec, DES and 3DES.
Layer 2 Forwarding (L2F) enables remote clients to gain access to corporate networks through existing public infrastructures, while retaining control of security and manageability. Cisco has submitted this new technology to the IETF for approval as a standard. It supports scalability and reliability features as discussed in later sections of this document. L2F achieves private network access through a public system by building a secure "tunnel" across a public infrastructure to connect directly to a home gateway. The service requires only local dialup capability, reducing user costs and providing the same level of security found in private networks. Using L2F tunneling, service providers can create a virtual tunnel to link customer remote sites or remote users with corporate home networks. In particular, a network access server at the POP exchanges PPP messages with the remote users and communicates by L2F requests and responses with the customer's home gateway to set up tunnels. L2F passes protocol-level packets through the virtual tunnel between endpoints of a point-to-point connection. Frames from remote users are accepted by the service provider POP, stripped of any linked framing or transparency bytes, encapsulated in L2F, and forwarded over the appropriate tunnel. The customer's home gateway accepts these L2F frames, strips the L2F encapsulation, and processes incoming frames for the appropriate interface. Layer 2 Tunneling Protocol (L2TP) is an extension to PPP. It is a draft IETF standard derived from Cisco L2F and Microsoft Point-to-Point Tunneling Protocol (PPTP). L2TP delivers a full range of security control and policy management features, including end-user security policy control. Business customers have ultimate control over permitting and denying users, services, or applications.
GRE, or Generic Routing Encapsulation, is the standard solution for Service Providers that have an established IP network and want to provide managed IP VPN services. One of the most significant advantages of this approach is that Service Providers can offer application-level QoS. This is possible because the routers still have visibility into the additional IP header information needed for fine-grained QoS (this is hidden in an IPSec packet). Traffic is restricted to a single provider’s network, allowing end-to-end QoS control. This restriction of “on-net only” traffic also allows the GRE tunnels to remain secure without using encryption. Customers who require greater levels of security can still use “on-demand” application-level encryption such as secure connections in a web browser. The entire connection may be encrypted, but at the cost of QoS granularity. In summary, GRE offers: Encryption-optional tunneling. Fine-grained QoS service capabilities, including application-level QoS. IP-level visibility makes this the platform of choice for building value-added services such as application-level bandwidth management.
Now let’s take a look at encryption. IPSec provides IP network-layer encryption. IPSec is a standards-based technology that governs security management in IP environments. Originally conceived to solve scalable security issues in the Internet, IPSec establishes a standard that lets hardware and software products from many vendors interoperate more smoothly to create end-to-end security. IPSec provides a standard way to exchange public cryptography keys, specify an encryption method (e.g., data encryption standard (DES) or RC4), and specify which parts of packet headers are encrypted.
IPSec assumes that a security association is in place, but does have a mechanism for creating that association. The IETF chose to break the process into two parts: IPSec provides the packet level processing while IKE negotiates security associations. IKE is the mechanism IPSec uses to set up SAs IKE can be used for more than just IPSec. IPSec is its first application. It can also be used with S/Mime, SSL, etc. IKE does several things: Negotiates its own policy. IKE has several methods it can use for authentication and encryption. It is very flexible. Part of this is to positively identify the other side of the connection. Once it has negotiated an IKE policy, it will perform an exchange of key-material using authenticated Diffie-Hellman. After the IKE SA is established, it will negotiate the IPSec SA. It can derive the IPSec key material with a new Diffie Hellman or by a permutation of existing key material. Summarize that IKE does these 3 things: Identification Negotiation of policy Exchange key material
Now that you understand both IPSec and IKE, let’s look at what really happens from the client’s perspective. An IPSec client is a software component that allows a desktop user to create an IPSec tunnel to a remote site. IPSec provides privacy, integrity, and authenticity for VPN client operations. With IPSec, no one can see what data you are sending and no one can change it. What’s input by a remote user dialing in via the public Internet is encrypted all the way to corporate headquarters with an IPSec client to a router at the home gateway. Here’s how it works. First, the remote user dials into the corporate network. The client uses either an X.509 or one-time password with a AAA server to negotiate an Internet Key Exchange. Only after it’s authenticated is a secure tunnel created. Then all data is encrypted. IPSec is transparent tot he network infrastructure and is scalable from very small applications to very large networks. As you can see, this is an ideal way to connect remote users or telecommuters to corporate networks in a safe and secure environment. NOTE: THIS SLIDE USES BUILDS.
11 9 25 Another thing that people often get confused about is the relationship between L2TP and IPSec. Remember that L2TP is Layer 2 Tunneling Protocol. Some people think that the two technologies are exclusive of each other. In fact, they are complementary. So you can use both of these together. IPSec can create remote tunnels. L2TP can provide tunnel and end-to-end authentication. So IPSec is going to maintain the encryption, but often times you want to tunnel non-IP traffic in addition to IP traffic. L2TP can be useful for that.
DES stands for Data Encryption Standard. It is a widely adopted standard created to protect unclassified computer data and communications. DES has been incorporated into numerous industry and international standards since its approval in the late 1970s. DES and 3DES are strong forms of encryption that allow sensitive information to be transmitted over untrusted networks. They enable customers to utilize network layer encryption. The encryption algorithm specified by DES is a symmetric, secret-key algorithm. Thus it uses one key to encrypt and decrypt messages, on which both the sending and receiving parties must agree before communicating. It uses a 56-bit key, which means that a user must correctly employ 56 binary numbers, or bits, to produce the key to decode information encrypted with DES. DES is extremely secure, however, it has been cracked on several occasions by chaining hundreds of computers together at the same time; but even then, it took a very long time to break. This led to the development of Triple DES which uses a 168-bit algorithm.
A critical part of an overall security solution is a network firewall, which monitors traffic crossing network perimeters and imposes restrictions according to security policy. In a VPN application, firewalls protect enterprise networks from unauthorized access to computing resources and network attacks, such as denial of service. Furthermore, for authorized traffic, a VPN firewall verifies the source of the traffic and prescribes what access privileges users are permitted.
A key component of VPN security is making sure authorized users gain access to enterprise computing resources they need, while unauthorized users are shut out of the network entirely. AAA services (that stands for authentication, authorization, and accounting) provide the foundation to authenticate users, determine access levels, and archive all the necessary audit and accounting data. Such capabilities are paramount in the dial access and extranet applications of VPNs. Now that we’re done looking at security, let’s move on to QoS.
So how does QoS play a role in VPNs? Well, the goal of QoS is to control the utilization of bandwidth so that you can support mission critical applications. Here’s how it works. The customer premises equipment or CPE assigns packet priority based on the network policy. Packets are marked and bandwidth is managed so that the VNP WAN links don’t choke out the important traffic. One example of this could be an employee watching television off the Internet to his PC where the video traffic clogs a small 56K WAN line making it impossible for mission critical financial application data to pass. With QoS, you can take advantage of the service providers differentiated services to maximize network resources and minimize congestion at peak times. For example, e-mail traffic doesn’t care about latency, but video and mission-critical applications do. Some components of bandwidth management/QoS that apply to VPNs are as follows: Packet classification---assigns packet priority based on enterprise network policy Committed access rate (CAR)---provides policing and manages bandwidth based on applications and/or users according to enterprise network policy Weighted Random Early Detection (WRED)---complements TCP in predicting and managing network congestion on the VPN backbone, ensuring predictable throughput rates These QoS features complement each other, working together in different parts of the VPN to create a comprehensive bandwidth management solution. Bandwidth management solutions must be applied at multiple points on the VPN to be effective; single point solutions cannot ensure predictable performance.
Let’s look now at the three types of VPNs.
As previously stated, VPN is defined as customer connectivity deployed on a shared infrastructure with the same policies as a private network. The shared infrastructure can leverage a service provider IP, Frame Relay, or ATM backbone, or the Internet. Cisco defines three types of virtual private networks according to how businesses and organizations use VPNs: Access VPNs provide remote connectivity to telecommuters and mobile users. They’re typically an alternative to dedicated dial or ISDN connections. They offer users a range of connectivity options as well as a much lower cost solution. Intranet VPNs link corporate headquarters, remote offices, and branch offices over a shared infrastructure using dedicated connections. The VPN typically is an alternative to a leased line. It provides the benefit of extended connectivity and lower cost. Extranet VPNs link customers, suppliers, partners, or communities of interest to a corporate intranet over a shared infrastructure using dedicated connections. In this example, the VPN is often an alternative to fax, snail mail, or EDI. The extranet VPN facilitates e-commerce. Let’s look at the Access VPN in more detail.
Remote access VPNs extend the corporate network to telecommuters, mobile workers, and remote offices with minimal WAN traffic. They enable users to connect to their corporate intranets or extranets whenever, wherever, or however they require. Remote access VPNs provide connectivity to a corporate intranet or extranet over a shared infrastructure with the same policies as a private network. Access methods are flexible---asynchronous dial, ISDN, DSL, mobile IP, and cable technologies are supported. Migrating from privately managed dial networks to remote access VPNs offers several advantages, most notably: Reduced capital costs associated with modem and terminal server equipment Ability to utilize local dial-in numbers instead of long distance or 800 numbers, thus significantly reducing long distance telecommunications costs Greater scalability and ease of deployment for new users added to the network Restored focus on core corporate business objectives instead of managing and retaining staff to operate the dial network
16 In an Access VPN environment, the most important aspect of security revolves around identifying a user as a member of an approved customer company and establishing a tunnel to its home gateway, which handles per-user authentication, authorization, and accounting (AAA). User authentication is a critical characteristic of an Access VPN. Through a local point of presence (POP), a client establishes communication with the service provider network (1), and secondarily establishes a connection with the customer network (2). The Access VPN tunnel end points authenticate each other (3). Next, the user connects to the customer premises equipment (CPE) home gateway server (local network server) using PPP or SLIP (4) and is authenticated through a username/password handling protocol such as PAP, CHAP, or TACACS+. The home gateway maintains a relationship with an access control server (ACS), also known as an AAA server, using TACACS+ or RADIUS protocols. At this point, authorization is set up using the policies stored in the ACS and communicated to the home gateway at the customer premises (5). Often, the customer administrates the ACS server, providing ultimate and centralized control of who can access its network as well as which servers can be accessed. User profiles define what the user can do on the network. Using authorization profiles, the network creates a "virtual interface" for each user. Access policies are enforced using Cisco IOS software specific to each interface.
5 An access VPN has two basic components: L2TP Network Server (LNS): A device such as a Cisco router located in the customer premises. Remote dial users access the home LAN as if they were dialed into the home gateway directly, although their physical dialup is via the ISP network access server. Home gateway is the Cisco term for LNS. An LNS operates on any platform capable of PPP termination. LNS handles the server side of the L2TP protocol. Because L2TP relies only on the single media over which L2TP tunnels arrive, LNS may have only a single LAN or WAN interface, yet still be able to terminate calls arriving at any LAC's full range of PPP interfaces (async, synchronous ISDN, V.120, and so on). LNS is the initiator of outgoing calls and the receiver of incoming calls. LNS is also known as HGW in L2F terminology. L2TP Access Concentrator (LAC): A device such as a Cisco access server attached to the switched network fabric (for example, PSTN or ISDN) or colocated with a PPP end system capable of handling the L2TP protocol. An LAC needs to only implement the media over which L2TP is to operate to pass traffic to one or more local network servers (LNSs). It may tunnel any protocol carried within PPP. LAC is the initiator of incoming calls and the receiver of outgoing calls. LAC is also known as NAS in L2F.
There are two types of Access VPNs. Essentially they are dedicated or dial. With a dedicated or client-initiated Access VPNs, users establish an encrypted IP tunnel from their clients across a service provider's shared network to their corporate network. With a client-initiated architecture, businesses manage the client software tasked with initiating the tunnel. Client-initiated VPNs ensure end-to-end security from the client to the host. This is ideal for banking applications and other sensitive business transactions over the Internet. With client-initiated VPN Access, the end user has IPSec client software installed at the remote site, which can terminate into a firewall for termination into the corporate network. IPSec and IKE and certificate authority are used to generate the encryption, authentication, and certificate keys to be used to ensure totally secure VPN solutions.
An advantage of a client-initiated model is that the "last mile" service provider access network used for dialing to the point of presence (POP) is secured. An additional consideration in the client-initiated model is whether to utilize operating system embedded security software or a more secure supplemental security software package. While supplemental security software installed on the client offers more robust security, a drawback to this approach is that it entails installing and maintaining tunneling/encryption software on each client accessing the remote access VPN, potentially making it more difficult to scale.
8 24 In a NAS-initiated scenario, client software issues are eliminated. A remote user dials into a service provider's POP using a PPP/SLIP connection, is authenticated by the service provider, and, in turn, initiates a secure, encrypted tunnel to the corporate network from the POP using L2TP or L2F. With a NAS-initiated architecture, all VPN intelligence resides in the service provider network---there is no end-user client software for the corporation to maintain, thus eliminating client management burdens associated with remote access. The drawback, however, is lack of security on the local access dial network connecting the client to the service provider network. In a remote access VPN implementation, these security/management trade-offs must be balanced.
Pros: NAS-initiated Access VPNs require no specialized client software, allowing greater flexibility for companies to choose the access software that best fits their requirements. NAS solutions use robust tunneling protocols such as Cisco L2F or L2TP. IPSec provides encryption only, in contrast with the client-initiated model where IPSec enables both tunneling and encryption. Premium service examples include reserved modem ports, guarantees of modem availability, and priority data transport. The NAS can simultaneously be used for Internet as well as VPN access. All traffic to a given destination travels over a single tunnel from a NAS, making larger deployments more scalable and manageable. Con: NAS-initiated Access VPN connections are restricted to POPs that can support VPNs.
Intranet VPNs: Link corporate headquarters, remote offices, and branch offices over a shared infrastructure using dedicated connections. Businesses enjoy the same policies as a private network, including security, quality of service (QoS), manageability, and reliability. The benefits of an intranet VPN are as follows: Reduced WAN bandwidth costs Connect new sites easily Increased network uptime by enabling WAN link redundancy across service providers Building an intranet VPN using the Internet is the most cost-effective means of implementing VPN technology. Service levels, however, are generally not guaranteed on the Internet. When implementing an intranet VPN, corporations need to assess which trade-offs they are willing to make between guaranteed service levels, network ubiquity, and transport cost. Enterprises requiring guaranteed throughput levels should consider deploying their VPNs over a service provider's end-to-end IP network, or, potentially, Frame Relay or ATM.
Extending connectivity to corporate partners and suppliers is expensive and burdensome in a private network environment. Expensive dedicated connections must be extended to the partner, management and network access policies must be negotiated and maintained, and often compatible equipment must to be installed on the partner's site. When dial access is employed, the situation is equally complicated because separate dial domains must be established and managed. Due to the complexity, many corporations do not extend connectivity to their partners, resulting in complicated business procedures and reduced effectiveness of their business relationships. One of the primary benefits of a VPN WAN architecture is the ease of extranet deployment and management. Extranet connectivity is deployed using the same architecture and protocols utilized in implementing intranet and remote access VPNs. The primary difference is the access permission extranet users are granted once connected to their partner's network.
25 Intranet and extranet VPN services based on IPSec, GRE, and mobile IP create secure tunnels across an IP network. These technologies leverage industry standards to establish secure, point-to-point connections in a mesh topology that is overlaid on the service provider's IP network or the Internet. They also offer the option to prioritize applications. An IPSec architecture, however, includes the IETF proposed standard for IP-based encryption and enables encrypted tunnels from the access point to and across the intranet or extranet. An alternative approach to intranet and extranet VPNs is to establish virtual circuits across an ATM or Frame Relay backbone. With this architecture, privacy is accomplished with permanent virtual circuits (PVCs) instead of tunnels. Encryption is available for additional security as an optional feature, but more commonly, it is applied as needed by individual applications. Virtual circuit architectures provide prioritization through quality of service for ATM and committed information rate for Frame Relay. Finally, in addition to IP tunnels and virtual circuits, intranet and extranet VPNs can be deployed with a Tag Switching/MPLS architecture. Tag Switching is a switching mechanism created by Cisco Systems and introduced to the IETF under the name MPLS. MPLS has been adopted as an industry standard for converging IP and ATM technologies. A VPN built with Tag Switching/MPLS affords broad scalability and flexibility across any backbone choice whether IP, ATM, or multivendor. With Tag Switching/MPLS, packets are forwarded based on a VPN-based address that is analogous to mail forwarded with a postal office zip code. This VPN identifier in the packet header isolates traffic to a specific VPN. Tag Switching/MPLS solves peer adjacency scalability issues that occur with large virtual circuit topologies. It also offers granularity to the application for priority and bandwidth management, and it facilitates incremental multiservice offerings such as Internet telephony, Internet fax, and videoconferencing.
Access VPNs are differentiated from intranet and extranet VPNs primarily by the connectivity method into the network. While an access VPN refers to dialup (or part-time) connectivity, an intranet or extranet VPN may contain both dialup and dedicated links. The distinction between intranet and extranet VPNs is essentially in the users that will be connecting to the network and the security restrictions that each will be subject to.
Let’s look at some real examples of VPNs.
Here we have a health care company that's deploying an intranet. Well, why would they care so much about security? Your health records are something that you want to be secure. This is information that you don't want non-authorized personnel to have access to. So you can see on the screen, the company has a number of remote centers. In this case, these are like doc-in-the-box, those little new medical clinics that are springing up. So those are relayed back to a primary network and back to the association where the primary hospital that these different medical centers are associated with resides. So a lot of more sophisticated databases, etc., can be back at the hospital, and they can share the Internet and, with confidence, share medical data that they don't want to have published to the outside world.
Another example would be branch offices or perhaps telecommuters. So the challenge is getting a cost-effective means to connect those small offices that maybe can't afford a leased line or a leased line wouldn't be appropriate for. And so with IPSec, you can encrypt the traffic from the remote sites to the enterprise. It doesn't matter what applications the users are using. This isn't just encrypting mail or just encrypting the database or something like that. You can encrypt all traffic if you want to. And so that's something that you can set up right into the router in terms of what traffic you want to encrypt right into your client. So using this, telecommuters can have full access safely to the corporation.
To illustrate the savings an Access VPN can provide, compare the cost of implementing one with that of supporting a dial-up remote access application. Suppose a small manufacturing firm must support 20 mobile users dialing into the corporate network to access the company database and e-mail for approximately 90 minutes per day (per user). In the traditional dial-up model, the 20 mobile workers use a modem to dial long distance directly into their corporate remote access server. Most of the cost in this scenario comes from the monthly toll chares and the time and effort required to manage modem pools (access server) that accrue on an on-going basis over the life of the application. By using an access VPN, the manufacturing firm’s monthly toll charges can be significantly reduced. The mobile users will dial into a service provider’s local point of presence (POP) and initiate a tunnel back to the corporate headquarters over the Internet. Instead of paying long distance/800 toll charges, users pay only the cost equivalent to making a local call to the ISP. The initial investment in equipment and installation of an access VPN may be recaptured quickly by the savings in monthly toll charges. How long will it take the manufacturing firm to realize a payback of the initial capital investment, then realize recurring monthly savings?
Now, with the access VPN, you can see that there's more installation charges. But let's add them up and see what happens. So you can see the one-time capital expense using the access VPNs rose from $4,000 for the dialup users up to $10,600 for the VPN. But the recurring costs dropped from $5400 per month down to $2,900 per month. $2500 savings per month! Traditional Dial-up Access VPN Month Capital Recurring Total Capital Recurring Total 1 $4,000 $5,400 $9,400 $10,600 $2,900 $13,500 2 $5,400 $14,800 $2,900 $16,400 3 $5,400 $20,200 $2,900 $19,300 While costs will vary by region and local tariffs, this example illustrates that using an access VPN to support mobile users can typically provide returns on the initial investment in 6 months or less. While the initial installation and start-up costs of an Access VPN are higher, the advantages of streamlining ongoing monthly costs translates into big savings for total cost of ownership.
This chart shows us the return on investment. You can see that the payback is right about three months. So you can see that VPNs save money in the long run.
Lower cost: VPNs save money because they use the Internet, not costly leased lines, to transmit information to and from authorized users. Prior to VPNs, many companies with remote offices communicated through wide area networks (WANs), or by having remote workers make long-distance calls to connect to the main-office server. Both can be expensive propositions. WANs require establishing dedicated and inflexible leased lines between various business locations, which can be costly or impractical for smaller offices. Improved communications: A VPN provides a robust level of connectivity comparable to a WAN. With increased geographic coverage, remote offices, mobile employees, clients, vendors, telecommuters, and even international business partners can use a VPN to access information on a company's network. This level of interconnectivity allows for a more effective flow of information between a large number of people. The VPN provides access to both extranets and wide-area intranets, which opens the door for improved client service, vendor support, and company communications. Security: VPNs maintain privacy through the use of tunneling protocols and standard security procedures. A secure VPN encrypts data before it travels through the public network and decrypts it at the receiving end. The encrypted information travels through a secure "tunnel” that connects to a company's gateway. The gateway then identifies the remote user and lets the user access only the information he or she is authorized to receive. Increased flexibility: With a VPN, customers, suppliers and remote users can be added to the network easily and quickly. Some VPN solutions simplify the process of administering the network by allowing the system's manager to implement changes from any desktop computer. Once the equipment is installed, the company simply signs up with a service provider that activates the network by giving the company a slice of its bandwidth. This is much easier than establishing a WAN, which must be designed, built and managed by the company that creates it. VPNs also easily adapt to a company's growth. These systems can connect 2,000 people as easily as 25. Reliability: A secure VPN can be used for the authorization of orders from suppliers, the forwarding of revised legal documents, and many other confidential business processes. Recent improvements in VPN technology have also increased the system's reliability. Many service providers will guarantee 99% VPN uptime and will offer credits for unanticipated outages.