IPv6
IPv6
Submit this article to your favorite social bookmarking websites  
Digg Facebook Technorati Google BlinkList Del.icio.us Yahoo StumbleUpon Ma.gnolia Reddit Simpy

VPN - Virtual Private Network
by Techwriters Future

Overview


VPN widely known as Virtual Private Network, is a communications network tunneled through another network, and dedicated for a specific network. In simple terms it can be defined as connecting two private networks through the public or shared network that is internet.

VPNs helps to transmit information via publicly shared network infrastructures by establishing secure links with remote private networks through a combination of tunneling, encryption, authentication technologies. Hence VPNs have gained widespread acceptance as preferred security solutions.

  IPv6

VPN the types and working

Lets go ahead further and study the types and functional specifications of it.VPN are generally grouped into two basic categories:

  • Remote Access VPNs

  • Site-to-Site VPN

  • Remote Access VPNs

    IPv6

    Fig. Remote Access VPN (Ref.www.ciscohardwaremaintenance.com)

    Remote Access VPNs are usually used to link private network from various remote locations. One of the important points in its implementation is to create a strong authentication .Mobile users connect to the network using VPN client software which encapsulates and encrypts that traffic before sending it over through the Internet to the VPN gateway. These VPNs are beneficial and economical as they provide mobility and are economical.

    Site-to-Site VPN

    Site-to-site VPNs are used to connect a branch office network to a company headquarters network. Here the VPN gateway encapsulates and encrypts the traffic before sending it through a VPN tunnel over the Internet, to a peer VPN gateway. On the remote end at the target site, the peer VPN gateway strips the headers, decrypts the content, and transmits the packet to the target host inside its private network.

    IPv6

    Fig. Site-to-Site VPN (Ref.www.ciscohardwaremaintenance.com)

    Site to site VPNs are further classified into Intranet and Extranet VPNs, lets go ahead and checkout what these are.

    The Intranet VPN is used to facilitate communications within a company's information infrastructure, by connecting one or more or more remote locations to form a private network.

    The Extranet VPN is used to connect LAN to LAN environment. For e.g. connection of various offices to form a common shared network. Internet Security Protocol (IPSec) is the commonly used as a security standard to the Internet-based VPN.

    A VPN uses numerous methods for keeping the connection and data safe and secure, some of them are the use of Authentication, Encryption , Internet Security Protocol (IPSec) , Tunneling. Let's check out what these are and how they are used.

    IPv6

    Fig. Site to Site VPN (Ref.http://www.chicagotech.net)

    Authentication:

    Authentication of connection is implemented by using authentication mechanisms like passwords, biometrics and cryptographic methods in firewalls, access gateways, and other devices.

    Encryption:

    Encryption is the process of transforming information using an algorithm that makes it unreadable to anyone except the intended recipient usually referred to as a key, which is needed for decryption of data to make it readable.

    Tunneling:

    Tunneling is the process of placing an entire packet within another packet and sending it over a network. The protocol of the outer packet is understood by the network and remote ends called tunnel interfaces, where the packet enters and exits the network.

    Some of the common tunneling protocols used by VPNs are:

  • Point-to-Point Tunneling Protocol (PPTP)

    PPTP protocol packages data within the PPP packets, further encapsulates the PPP packets within IP packets for transmission through a VPN tunnel. PPTP supports data encryption and compression of these packets. PPTP also uses a form of General Routing Encapsulation (GRE) to get data to and from its final destination.

    Here VPN tunnels are created via the following two-step process:

    1. The PPTP client connects to their ISP using PPP dial-up.

    2. PPTP creates a TCP control connection between the VPN client and VPN server to establish a tunnel. These connections are made using TCP port 1723.

    Once the VPN tunnel is established, PPTP supports two types of information flow:

  • Control messages for managing and eventually tearing down the VPN connection.

  • Data packets that pass through the tunnel, to or from the VPN client

  • Layer Two Tunneling Protocol (L2TP)

    IPv6

    Fig.Layer Two Tunneling Protocol (L2TP) (Ref.http://www.proprofs.com/)

    Layer Two Tunneling Protocol (L2TP) is a combination of Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F).L2TP encapsulates PPP frames that are sent over IP network.

    The L2TP frames include the following:

    1.L2TP connection maintenance messages that includes the L2TP header

    2.L2TP tunneled data that includes a PPP header and a PPP payload.

    Here Encryption is provided through the use of the Internet Protocol security (IPSec) Encapsulating Security Payload (ESP) header and trailer. The following fig. explains this process.

  • Internet Protocol Security (IPsec)

    IPsec is actually a collection of multiple protocols. It is used as a complete VPN protocol solution as well as a strong encryption scheme within L2TP or PPTP.The following Fig. shows IPSec in detail.



    Fig. IPSEC (Ref.www.interpeak.com)

    Internet Security Protocol (IPSec) Suite defined

    Internet Protocol Security Protocol (IPSec) provides enhanced security features such as encryption algorithms and comprehensive authentication.

    IPSec employs a powerful suite of encryption technologies that make it possible to combat the numerous threats in traditional IP-based networks which includes Authentication Header (AH): AH ties data in each packet to a verifiable signature that allows recipients to verify the identity of the sender well as the ability to ensure the data has not been altered during transit.

    The IP Authentication Header (AH) is primarily used to provide connectionless integrity and data origin authentication for the IP Datagrams and protection against replay attack. Authentication Header is based on the use of the integrity check value with an algorithm specified in the SA.AH protects the IP payload and all header fields of an IP datagram except for mutable fields, i.e. those that might be altered in transit. The following fig. shows an AH packet diagram:



    Field meanings:

    Next header
    Identifies protocol of the transferred data.

    Payload length
    Size of the AH packet.

    RESERVED
    Reserved for future use (all zeros).

    Security parameters index (SPI)
    Identifies the security parameters, which, in combination with the IP address, identifies the security association implemented in this packet.

    Sequence number
    A monotonically increasing number, used to prevent replay attacks.

    Authentication data

    Contains integrity check value (ICV) necessary for authenticating the packet.

    Encapsulating Security Payload (ESP): Using powerful encryption, ESP scrambles up the data, more properly referred to as the payload, of the packet into unreadable format for which only the receiver has the key to read. The encapsulation also conceals sensitive IP addresses of both ends.

    The Encapsulating Security Payload provides confidentiality protection, authentication, and data integrity. An ESP can be applied alone or in combination with an AH. Unlike AH, the IP packet header is not protected by ESP.ESP operates directly on top of the IP, using the IP protocol number 50.

    Ipv6

    Fig. An ESP Packet Diagram

    Field Meanings:

    Security parameters index (SPI)
    Identifies the security parameters in combination with IP address.

    Sequence Number
    A monotonically increasing number, used to prevent replay attacks.

    Payload Data
    The data to be transferred.

    Padding
    Used with some block ciphers to pad the data to full length of a block.

    Pad Length
    Size of the padding in bytes.

    Next Header
    Identifies the protocol of the transferred data.

    Authentication Data
    Contains the data used to authenticate the packet.

    Internet Key Exchange (IKE): This is the protocol is used for negotiation between the two communicating hosts on type of encryption algorithms to use, as well as the keys to use, and how long the keys will be valid before changing them. IKE also handles the responsibility required for the exchange of keys used to initiate and maintain the connection between the two hosts.

    Advantages and the future of VPN

    VPN has many advantages and benefits but some of the most important ones are:

  • Provides security while accessing mission critical information

  • Saves on long distance charges when remote users are out of the dialing area

  • Requires less hardware, e.g., modems used for dialup connections

  • Reduces the number of telephone lines needed for Internet access

    VPN Technology is in its early developmental stages, and more research is going on in this field to make it more secure and advanced. But at the same time exploitation of vulnerabilities is also a possibility as VPN is still in its developmental stage.

    At the same time the research and development of allied security features are accelerating the VPN growth. Further VPN as a technology brings us security, scalability, cost saving which makes it as one of the cost effective solutions available today.


  •