02-08-2014, 02:02 PM
Virtual Private Networks
Virtual Private Networks.doc (Size: 784.5 KB / Downloads: 10)
ABSTRACT
Virtual Private Networks is a concept introduced to implement global Wide Area Network(WAN) on the Internet. This way enormous costs involved in the traditional implementation of these networks i.e. through dedicated lines or satellite links is reduced considerably. A way to maintain fast, secure and reliable communications is attained wherever the offices are.
In the VPN, Internet is used as the data pipelined replacing the traditional datalines. This approach is just right for small and medium sized business firms. Now, many companies are creating their own VPN (virtual private network) to accommodate the needs of remote employees and distant offices. Each remote member of your network can communicate in a secure and reliable manner using the Internet as the medium to connect to the private LAN, by simply making a contract with the ISP. A VPN can grow to accommodate more users and different locations much easier than a leased line. In fact, scalability is a major advantage that VPNs have over typical leased lines. Unlike with leased lines, where the cost increases in proportion to the distances involved, the geographic locations of each office matter little in the creation of a VPN
INTRODUCTION
The world has changed a lot in the last couple of decades. Instead of simply dealing with local or regional concerns, many businesses now have to think about global markets and logistics. Many companies have facilities spread out across the country or around the world, and there is one thing that all of them need: A way to maintain fast, secure and reliable communications wherever their offices are. Until fairly recently, this has meant the use of leased lines to maintain a wide area network (WAN). Leased lines, ranging from ISDN (integrated services digital network, 128 Kbps) to OC3 (Optical Carrier-3, 155 Mbps) fiber, provided a company with a way to expand its private network beyond its immediate geographic area. A WAN had obvious advantages over a public network like the Internet when it came to reliability, performance and security. But maintaining a WAN, particularly when using leased lines, can become quite expensive and often rises in cost as the distance between the offices increases.
As the popularity of the Internet grew, businesses turned to it as a means of extending their own networks. First came intranets, which are password-protected sites designed for use only by company employees
VPN TYPES
We all know WAN is simply the collection of local area networks,each located in geographically diverse locations connected to each other to form a single network. Leased lines which were initially used though forms a private network,it ought to be expensive. But VPN,using the power of the public medium,it helped to create a private connection called tunnel to switch data from one geographical location to the other.
A VPN provides network to network or remote user to network connectivity via the encrypted tunnel.Datas must be encapsulated in a IP packet before it can be sent across a VPN.Network users use various encryption and authentication schemes to provide security.Some VPN require specialisedv hardware,while some may require specialised software or some both that adds VPN capabilities to firewall,server or router
TUNELLING
Virtual Private Network protect tunelled data through a combination of encryption, mutual host authentcation and protocol tunelling. One of the most basic method of protecting transmitted data is encryption.This involves scrambling the transmitted data using mathematical formula,so that even though the data transmission may be intercepted, it cannot be recovered without the correct key.
Encryption can be either be hardware enabled through network devices like routers or through software.While in the case of software,encryption takes place when you correct through the tunneling protocol like PTTP,in the case of router encryption it is performed on the fly.
One of the biggest difficulty encountered over the Internet is identifying the person or a computer at the other end of the wire.This is addressed by the authentication,a process where the two hosts verify eachother.This can be done through the X.2509 standard digital certificate which exchages electronic signatures between the two parties.This electronic signature is then verified by a trust third party,usually a public-certifying authority or the company`s own certificate server.
OUTSOURCE A PRIVATE SITE
A company desiring to outsource its access responsibility can ask an ISP to manage a site for it.ISPs themselves generally put their own dial-up equipment in the locations are termed as points of presence(POP).Under this model,a company may enter into a contract with the ISP to establish private POPs for its employees.This really moves the company`s private dial-up equipment to the site which is managed by the ISP.
If the resources of a POP are dedicated to a single company, then the POP is not different from a remote company site, and therefore the same routing equipment used at the company`s headquarters can be used at the POP. Since the site is private, all packets at the site can be in the clear. Tunnels only run between the router at the POP and the router at the company`s headquarters.
This approach offloads the access responsibility to the ISP, but it is likely to be more expensive than any other option because equipment cost are not shared. It has the further disadvantage that it require private facilities at as many POP as needed to provide local access to employees. Such an arrangement also locks employees.
Finally, an ISP has to manage a list of authorized user name and password on behalf of the company to help control access to the private site.All this necessitates that a very close relationship exists between the outsourcing
OUTSOURCE A PRIVATE ACCESS SERVER
The previous models are not very attractive in that they are expensive, restrictive, and in some cases not very secure. They treat the ISP as a trusted extension of the outsourcing company. Though site outsourcing may make sense in certain situations, it is not likely to become a common practice. Site outsourcing may not be favoured by router vendors, except when they can sell a bunch of new routers to ISPs. All this brings us to another approach.
Instead of beginning the tunnel at the site router on behalf of all access servers with the ISP, it should be possible to begin a tunnel at each access server. This way, packets received at a dial-in port can be encrypted and encapsulated, and thus enter the tunnel before leaving the server so that they are never in the clear on the ISP LAN. Placing the tunnel function in the access server is such a compelling improvement over the earlier two models that it has received a focal attention of all vendors. It has also provided the impetus for many new or proposed standards that may offer a multivendor interoperability for server-router tunnels.
This model assumes that an outsourcing company asks an ISP to deploy some access servers at each POP, and dedicate them for the company’s employees. The phone numbers of these dedicated resources are made available only to company personnel. Of course, the ISP must know employee names and passwords so as to guard access to these servers, but if the servers are effectively protected, the company does not have to worry about uses on other servers getting into one of their tunnels. Under this scheme, new codes are required for both access servers and the HQ (headquarters) router
SHARE AN OUTSOURCED ACCESS SERVER
Because the new access servers are able to establish tunnels on behalf of each dial-in port, there is no reason why each tunnel cannot go to a different home gateway. Home gateways can be selected on the basis of user identity as authenticated by the ISP, and so tunnels from a single access server can go to different companies at the same time. Economy apart, this functionality is not necessarily any better than the prior scheme, and may be inferior in many ways. For example. in this model, company authentication data does need to be held by the ISP, and access servers need to be trusted more than ever before. In addition until tunneling protocols are truly interoperable, it may not be possible for access serves from vendor A to talk to home gateways from vendor B. This implies many constraints for ISPs in the deployment of servers and allocation of phone numbers, modem types, etc.
CONCLUSION
As the cost of setting up the global network is prohibitively costly for small and medium sized business, Virtual private network offers cheap way to build WAN. The problems accomplished by VPN concerns security and performance. The standardisation of VPN technology will lead to its wide spread use among network users.