access method for branch and SOHO sites. A virtual
private network (VPN) is a concept that describes how to create
a private network over a public network infrastructure while
maintaining confidentiality and security. VPNs use
cryptographic tunneling protocols to provide sender
authentication, message integrity, and confidentiality by
protecting against packet sniffing. VPNs can be implemented at
Layers 2, 3, and 4 of the Open Systems Interconnection (OSI)
model. Figure illustrates a typical VPN topology. Components
required to establish a VPN include: - An existing
network with servers and workstations
- Connection to
the Internet
- VPN gateways (i.e., routers, PIX, ASA,
VPN concentrators) that act as endpoints to establish, manage,
and control VPN connections
- Software to create and
manage tunnels
The key to VPN technology is
security. VPNs secure data by encapsulating the data,
encrypting the data, or both encapsulating the data and then
encrypting it: - Encapsulation is also referred to as
tunneling because encapsulation transmits data transparently
from network to network through a shared network
infrastructure.
- Encryption codes data into a
different format. Decryption decodes encrypted data into the
data’s original unencrypted format.
Encapsulation
and encryption are discussed in more detail as this course
progresses.
Content 3.1 Introducing VPN
Technology 3.1.2 Overlay and Peer-to-Peer VPN
Architecture In terms of evolution, there are two major VPN
models: overlay VPN and peer-to-peer VPN. Overlay
VPNs
Service providers (SPs) are the most common users
of the overlay VPN model. The design and provisioning of
virtual circuits (VC) across the backbone is complete prior to
any traffic flow. In the case of an IP network, this means that
even though the underlying technology is connectionless, it
requires a connection-oriented approach to provision the
service. The scaling issues of overlay VPNs present a challenge
to SPs when they have to manage and provision a large number of
circuits and tunnels between customer devices. From a
customer's point of view, the Interior Gateway Protocol design
is also complex and difficult to manage.
The overlay model
includes L2 and L3 VPNs. - L2 overlay VPN: L2
overlay VPNs are independent of the network protocol used by
the customer meaning that the VPN is not limited to carrying IP
traffic. If the carrier offers the appropriate ATM service, the
overlay VPN will carry any kind of information. Frame Relay
VPNs are normally limited to data applications, although voice
over Frame Relay customer premises equipment (CPE) devices may
be useable on some services.
- L3 overlay VPN:
L3 Overlay VPNs most often use an “IP in IP” tunneling scheme
using Point to Point Tunneling Protocol (PPTP), Layer 2
Tunneling Protocol (L2TP), and IP security (IPsec). Figure
summarizes the basic properties of these technologies.
CPE-Based VPN (Peer-to-Peer)
CPE-based VPN is
another name for an L3 overlay VPN. The VPN is implemented
using CPE, as shown in Figure . In this way, a customer creates
a VPN across an Internet connection without any specific
knowledge or cooperation from the service provider. The
customer gains the advantage of increased privacy using an
inexpensive Internet connection. This approach is not
advantageous to the SP because there is little opportunity for
VPN service revenue. However, SPs do charge a higher rate for
“business class” Internet services applicable to medium to
large enterprises. Also, some SPs offer “managed VPN” services
where CPE configuration and Network Address Translation (NAT)
address management are performed by the SP rather than by the
customer. SP-Provisioned VPN
The introduction of
Multiprotocol Label Switching (MPLS) combines the benefits of
overlay VPNs (security and isolation among customers) with the
benefits of the simplified routing of a peer-to-peer VPN. MPLS
VPN provides simpler customer routing, simpler service provider
provisioning and a number of possible topologies that are hard
to implement in either the overlay or peer-to-peer VPN models.
MPLS also adds the benefits of a connection-oriented approach
to the IP routing paradigm, through the establishment of
label-switched paths that are created based on topology
information rather than traffic flow. This model uses three
types of routers as shown in Figure : - The Provider
(P) and the Customer Edge (CE) routers are assumed to be
unaware of any VPN protocols or procedures.
- Only the
Provider Edge (PE) routers need to be provisioned to support
the VPNs.
Note that MPLS VPNs cannot replace all VPN
implementations because MPLS only supports IP as the Layer 3
protocol. Other protocols including IPX and AppleTalk must be
tunneled through the IP backbone.
Content
3.1 Introducing VPN Technology
3.1.3 VPN Topologies There are three VPN topologies
to consider: - Remote Access VPN :
Remote access VPNs provide remote users access to an intranet
or extranet over a shared infrastructure. Mobile users,
telecommuters, and branch offices can securely connect using
dialup, Integrated Services Digital Network (ISDN), digital
subscriber line (DSL), mobile IP, and cable technologies.
Remote access VPNs use only a single VPN gateway. The party
negotiating a secure connection with the VPN Gateway uses VPN
client software. The VPN Client software allows telecommuters
and traveling users to communicate on the central network and
access servers from many different locations. Tunnels are
created using either IPsec, Point to Point Tunneling Protocol
(PPTP), Layer 2 Tunnel Protocol (L2TP), or Layer 2 Forwarding
(L2F) Protocol.
Benefits: Remote access VPNs
reduce long-distance charges that are associated with dialup
access. Remote access VPNs also help increase productivity and
confidence by ensuring secure network access regardless of an
employee’s location. - Site-to-Site Intranet VPN
: Site-to-site intranet VPNs link headquarters,
remote offices, and branch offices to an internal network over
a shared infrastructure using dedicated connections. Intranet
VPNs differ from extranet VPNs in that intranet VPNs allow
access only to trusted employees. With an intranet VPN,
gateways at various physical locations within the same business
negotiate secure tunnels across the Internet. An example of
this type of VPN is a network that exists in several geographic
locations, connecting to a data center or mainframe that has
secure access through the Internet. Users from the networks on
either side of the tunnel can communicate with one another as
if the networks were a single network. These networks may need
strong encryption and strict performance and bandwidth
requirements. Tunnels are created using either IPsec, or
IPsec/GRE.
Benefits: Site-to-site intranet
VPNs offer cost savings over traditional leased-line or Frame
Relay technologies. - Site-to-Site Extranet VPN
: An extranet site-to-site VPN links outside
customers, suppliers, partners, or communities of interest to
an enterprise customer's network over a shared infrastructure
using dedicated connections. Extranet VPNs differ from intranet
VPNs in that extranet VPNs allow access to users who are
outside the enterprise. Extranet VPNs use firewalls in
conjunction with VPN tunnels so that business partners are only
able to gain secure access to specific data and resources while
not gaining access to private corporate information.
Benefits: Businesses enjoy the same policies as a
private network, including security, quality of service (QoS),
manageability, and reliability.
Content
3.1 Introducing VPN Technology
3.1.4 Characteristics of a Secure VPNs Security is
the focus of any VPN design. VPNs can use advanced encryption
techniques and tunneling to establish secure, end-to-end,