An Overview of Virtual Private Networks (VPNs)

bunchlearnedΔίκτυα και Επικοινωνίες

30 Οκτ 2013 (πριν από 3 χρόνια και 7 μήνες)

96 εμφανίσεις

An Overview of Virtual Private Networks (VPNs)

Prasad Modak

School of Electrical Engineering and Computer Science

University of Central Florida

Orlando, FL 32816




5, 2002


Until fairly recently, the large corporations were using costly leased lines, Frame Relay,
and ATM to build their intranets to incorporate remote employees and distant offices.
Small and medium size corporations were stuck to the low
peed switched services, as
they couldn’t afford the dedicated leased lines. As the popularity of the Internet grew, the
companies got chance to offload their intranets to the web. But the basic problem with
this offloading is the security issues of the Int
ernet as it is subject to many threats,
including loss of privacy, loss of data integrity, identity spoofing and denial

Virtual Private Networks (VPNs) provided a solution to this problem using special
tunneling protocols and complex encryption

procedures. The methods used in VPN to
keep the connection and data secure are Firewalls, Tunnels, Encryption, and

PPTP, L2F, L2TP, Socks5 and IPSec are the main five protocols for the VPNs, out of
which IPSec protocol is the standard
d method to provide privacy, integrity, and
authenticity to information transferred across IP networks.

VPNs find their application mainly in Remote Access and Site
site Connectivity.

This work is done to fulfill the requirement of the Term Paper for the course ‘Computer Network
Architecture’ (CDA 5501) offered in Fal
l 2002. Instructor: Dr. Mostafa Bassiouni.


1. Introduction

The term VPN or Virtual Private Network is
one of the most overused buzzwords in the
industry today. Before this concept surfaced, large corporations had expanded
considerable resources to set up complex private networks, now commonly known as
Intranets. These networks were installed using costly l
eased line services ranging from
ISDN (Integrated Services Digital Network, 128 Kbps) to OC3 (Optical Carrier
3, 155
Mbps) fiber, Frame Relay and ATM to incorporate remote employees and distant offices.
Ofcourse small and medium size companies could not of
fered the dedicated leased lines
and were stuck to how
speed switched services.

As the popularity of the Internet grew, businesses turned to it as a means of extending
their own network. Companies began to upgrade their Intranets to the web and create
t are known as Extranets to link internal and external users. But though the Internet is
effective and quick
deploy, it has been tarried by a lack of security. The Internet
is subject to many threats, including loss of privacy, loss of data integri
ty, identity
spoofing and denial

This fundamental problem of security has now overcome by
Virtual Private Networks
(VPN) Using special tunneling protocols and complex encryption procedures, data
integrity and privacy is achieved. Also since t
hese operations occur over a public
network, VPNs can cost significantly less to implement than privately owned or leased

The remaining of this paper is organized as follows. In Section 2, I review the basic
concepts behind the Virtual Private N
etworks with main focus on how the security
requirement is achieved using Encryption and Authentication. Section 3 covers the main
five protocols used for Virtual Private Networking namely
Tunneling Protocols

and L2TP
), Layer
2 Forwarding

, and
IP Security Protocol
(IPSec) with
main focus on IPSec. Section 4 describes some VPN applications. Finally I give my
concluding remarks in section 5.

2. Virtual Private Networks

Basically, a VPN is a private network that uses a public network (u
sually the Internet) to
connect remote sites or users together. Instead of using a dedicated, real
connection such as leased line, a VPN uses “virtual” connections routed through the
Internet from the company’s private network to the remote site or e
mployee. Figure 1
shows a typical VPN. It might have a main LAN at the corporate headquarters of the
company, other LANs at the remote offices or facilities and individual users connecting
from out in the field.

There are mainly two types of VPN:

VPN and

VPN. [1]

This is a user
LAN connection used by a company that has
employees who need to connect to the private network from various remote locations. It
is also called as
Virtual Private Dial
up Network
) Typically, a corporation that
wishes to set up a large remote
access VPN will outsource to an Enterprise Service


Provider. (ESP) The ESP sets up a Network Access Server (NAS) and provides the
remote users with desktop client software for their computers.

The telecommuters can
then dial a toll
free number to reach the NAS and use their VPN client software to access
the computer network.

Figure 1: A typical VPN

A company can connect multiple fixed sites over a public network such as
the Internet through the use of dedicated equipment and large
scale encryption. It is
further divided into

VPN and


If a company has one or more remote locations that they wish to
join in a single private network, they can create an intranet VPN and connect

When a company has a close relationship with another
company, they can build an ext
ranet VPN that connects LAN to LAN, and that
allows all of the various companies to work in a shared environment.

Figure 2 shows these three types of VPN.

Now let’s see the several methods used by a well
designed VPN for keeping the
connection and data


A firewall [2] is an important security feature for any Internet user. It prevents
unauthorized users and/or data from getting in or out of your network, using rules to
specify acceptable communications from locations, individuals, or

in certain protocols.
Firewalls can be set to restrict the number of open ports, what type of packets are passed
through and which protocols are allowed through. A good firewall should be in place
before one can implement a VPN.


Figure 2: Three types of VPN [1]

However, firewalls do not protect the data from the threats within the Internet network
itself. Once the data gets outside the firewall, all the sensitive
information like user
names, passwords, account numbers are visible to hackers. To use the public, shared
Internet for secure data transmission, VPN tunnels are used, which are enabled by
Encryption algorithms.

The thing that makes a Virtual Pri
vate Network “virtually private” is a tunnel.
[2] Even though you access your network via the Internet, you are not really “on” the
Internet. Instead you are “on” your company network. As with any Internet traffic, VPN
tunnel packet may take different path
s between the two endpoints. The word tunnel
doesn’t mean that there is a fixed path for transmission between the sender and the
receiver. It’s just that the recipients at the other end of your transmission can see inside
your protective encryption shell,
sort of a “tunnel vision” idea. Tunneling technology
encrypts and encapsulates your own network protocols within Internet Protocol (IP). This
is the reason why the Internet
based VPN transmission is transparent to the users as well
as network management op

This is the process of taking all the data that one computer is sending to
another and encoding it into a form that only the other computer will be able to
understand. [2] In other words it is a technique for scrambling (cipher
) and
unscrambling (clear
text) information. In VPN, what happens is at the either end of the
VPN tunnel a VPN gateway sits. The gateway at the sending location encrypts the
information into cipher
text before sending the encrypted information through the
over the Internet. The VPN gateway at the receiving location decrypts the information
back into clear text.


Most computer encryption systems belong in one of the two categories:

key Encryption

key Encryption

key En
In this scheme, the same key is used at each end of the
tunnel to encrypt and decrypt the information. Symmetric
key requires you to know
which computers will be talking to each other so you can install the key on each one.
Of course there must b
e understanding between the two parties to take appropriate
steps to keep the key secret. This is the reason why symmetric
keys are often known
shared secrets
. These keys become more difficult to distribute because they must
be kept confidential. A tech
nique called
key splitting

may be employed to reduce
potential of key disclosure during the transit.

key Encryption:
In this scheme, the information is encrypted with one
key and decrypted with a different key. The two keys used in this scenar
io are
referred as private and public keys. Private key is the one you keep to yourself
whereas public key is distributed to the remote users who want to communicate with
you. If say user X wants to communicate with you, then she must encrypt the
message u
sing your public key making sure that the cipher
text can be decoded only
by you with your private key. Reverse procedure is applicable if you want to
communicate with the user X. This encryption method is also called as
. A very popul
ar public
key encryption utility is called
Pretty Good

(PGP), which allows you to encrypt almost anything.

At this step, recipients of data can determine if the sender really is who
he says he is (User/System Authentication) and i
f the data was redirected or corrupted
enroute. (Data Authentication) [2]

User/System Authentication:
Lets assume that the user X want to communicate
with the user Y. When Y receives a message signed by X, she picks a random
number and encrypts it using t
he key (may be public key of X) only X should be
able to decode. X then decrypts the random number and re
encrypts it using a key
(may be public key of Y) only Y should be able to decode. When Y gets his
number back, it can be assured it really is X on the

other end.

Data Authentication:
In order to verify that data packets have arrived unaltered,
VPN systems use a technique involving
hash functions
. It calculates a unique
number, called as hash, based on fixed or variable length values of unique bit
ngs. The sender attaches the number to the data packet before the encryption
step. When the recipient receives the data and decrypts it, he can calculate his
own hash independently. The output of his calculation is compared to the stored
value appended by
the sender. If the two hashes do not match, the recipient can
assume that the data has been altered. The idea is that it’s easy to calculate the


hash value of a file but mathematically difficult to generate a file that will hash to
that value.

3. VPN Pr

As a matter of practice, the separate technologies used to provide confidentiality,
integrity and authentication in a given implementation are grouped into a broad
. Four widely used protocols are tunneling protocols (PPTP and L2TP),
Forwarding, Socks5, and IPSec.

Point Tunneling Protocol: (PPTP)

One of the first protocols deployed for VPNs was PPTP [3]. It has been a widely
deployed solution for dial
in VPNs since Microsoft included support for it in RRAS for
ows NT Server 4.0 and offered a PPTP client in a service pack for Windows 95.
The most commonly used protocol for remote access to the Internet is point
protocol (PPP). PPTP builds on the functionality of PPP to provide remote access that
can be t
unneled through the Internet to a destination site. As currently implemented,
PPTP encapsulates PPP packets using a modified version of the Generic Routing
Encapsulation (GRE) protocol, which gives PPTP the flexibility of handling protocols
other than IP,
such as Internet packet exchange (IPX) and network basic input/output
system extended user interface (NetBEUI).

Because of its dependence on PPP, PPTP relies on the authentication mechanisms within
PPP, namely Password Authentication Protocol (PAP) and Ch
allenge Handshake
Authentication Protocol (CHAP). Because there is a strong tie between PPTP and
Windows NT, an enhanced version of CHAP, MS

CHAP, is also used, which utilizes
information within NT domains for security. Similarly, PPTP can use PPP to encry
data, but Microsoft has also incorporated a stronger encryption method called Microsoft
Point Encryption (MPPE) for use with PPTP.

Aside from the relative simplicity of client support for PPTP, one of the protocol's main
advantages is that PPT
P is designed to run at open systems interconnection (OSI) Layer
2, or the link layer. By supporting data communications at Layer 2, PPTP can transmit
protocols other than IP over its tunnels.

PPTP does have some limitations. It does not provide strong en
cryption for protecting
data nor does it support any token
based methods for authenticating users. Therefore it is
vulnerable to attacks. It also lacks scalability in that it only supports 255 concurrent
connections per server.

The low cost and integration

with NT and Windows 95, however makes PPTP a viable
remote access solution where multi
protocol access is desirable, but heavy
encryption and authentication is not needed.


2 Forwarding: (L2F)

L2F [3] also arose in the early stages of VPN deve
lopment. Like PPTP, L2F was
designed as a protocol for tunneling traffic from users to their corporate sites. One major
difference between PPTP and L2F is that, because L2F tunneling is not dependent on IP,
it is able to work directly with other media, suc
h as frame relay or asynchronous transfer
mode (ATM). Like PPTP, L2F uses PPP for authentication of the remote user, but it also
includes support for Terminal Access Controller Access Control System (TACACS) and
Remote Authentication Dial
in User Service (
RADIUS) for authentication. L2F also
differs from PPTP in that it allows tunnels to support more than one connection.

Paralleling PPTP's design, L2F utilized PPP for authentication of the dial
up user, but it
also included support for TACACS and RADIUS fo
r authentication from the beginning.
L2F differs from PPTP because it defines connections within a tunnel, allowing a tunnel
to support more than one connection. There are also two levels of authentication of the
user, first by the ISP prior to setting up
the tunnel and then when the connection is set up
at the corporate gateway. Because L2TP is a layer
2 protocol, it offers users the same
flexibility as PPTP for handling protocols other than IP, such as IPX and NetBEUI.

2 Tunneling Protocol: (L2TP)

L2TP [3, 6] is being designed to address the shortcomings of PPTP and L2F. L2TP uses
PPP to provide dial
up access that can be tunneled through the Internet to a site.
However, L2TP defines its own tunneling protocol, based on the work done on L2F.
transport is being defined for a variety of packet media, including X.25, frame
relay and ATM. To strengthen the encryption of the data it handles, L2TP uses IPSec's
encryption methods.

Because it uses PPP for dial
up links, L2TP includes the authenticati
on mechanisms
within PPP, namely PAP and CHAP. Similar to PPTP, L2TP supports PPP's use of the
extensible authentication protocol for other authentication systems, such as RADIUS.
PPTP, L2F, and L2TP all do not include encryption or processes for managing
cryptographic keys required for encryption in their specifications.

In a traditional remote access scenario, a remote user (or client) accesses a network by
directly connecting a
network access server
). Generally, the NAS provides several
t functions: It terminates the point
point communications session of the remote
user, validates the identity of that user, and then serves that user with access to the
network. Although most remote access technologies bundle these functions into a singl
device, L2TP separates them into two physically separate devices: the
L2TP Access

and the
L2TP Network Server

As its names imply, the L2TP Access Server supports authentication, and ingress. Upon
successful authentication, the remote
user’s session is forwarded to the LNS, which lets
that user into the network. Their separation enables greater flexibility for implementation
than other remote access technologies.

L2TP can be implemented in two distinct topologies:

aware Tunneling

transparent Tunneling


The distinction between these two topologies is whether the client machine that is using
L2TP to access a remote network is aware that its connection is being tunneled.

aware Tunneling:
This name is derived from the r
emote client initiating
(hence, being “aware” of) the tunnel. In this scenario, the client establishes a
logical connection within a physical connection to the LAS. The client remains
aware of the tunneled connection all the way through to the LNS, and it
can even
determine which of its traffic goes through the tunnel.

transparent Tunneling:
transparent tunneling features L2TP
access concentrators distributed geographically close to the remote users. Such
geographic dispersion is intended to r
educe the long
distance telephone charges
that would otherwise be incurred by remote users dialing into a centrally located
LAC. The remote users need not support L2TP directly; they merely establish a
point communication session with the LAC usin
g PPP. Ostensibly, the
user will be encapsulating IP datagrams in PPP frames. The LAC exchanges PPP
messages with the remote user and establishes an L2TP tunnel with the LNS
through which the remote user’s PPP messages are passed. The LNS is the remote
r’s gateway to its home network. It is the terminus of the tunnel; it strips off all
L2TP encapsulation and serves up network access for the remote user.


Socks5 [4] is a circuit
level proxy protocol that was originally designed to facilitate
henticated firewall traversal. It provides a secure, proxy architecture with extremely
granular access control, making it an excellent choice for extranet configurations. Socks5
supports a broad range of authentication, encryption, tunneling and key manage
schemes, as well as a number of features not possible with IPSec, PPTP or other VPN
technologies. Socks5 provides an extensible architecture that allows developers to build
system plug
ins, such as content filtering (denying access to Java applets or
controls, for example) and extensive logging and auditing of users. When SOCKS is used
in conjunction with other VPN technologies, it's possible to have a more complete
security solution than any individual technology could provide. A user may, for

incorporate IPSec and SOCKS together. IPSec could be used to secure the underlying
network transport, while SOCKS could be used to enforce user
level and application
level access control.


IPSec [5] protocol is a standards
based method
of providing privacy, integrity, and
authenticity to information transferred across IP networks. The goal of IPSec is to address
all the threats including loss of privacy, loss of data integrity, identity spoofing, and
service without requiring e
xpensive host and application modifications.

IPSec is a framework of open standards for ensuring secure private communications over
IP networks. Based on standards developed by the Internet Engineering Task Force


(IETF), IPSec ensures confidentiality, in
tegrity, and authenticity of data communications
across a public IP network. IPSec provides a necessary component of a standards
flexible solution for deploying a network
wide security policy. Encryption and
authentication controls can be implemente
d at several layers in your computing
infrastructure as shown in the following figure.

Figure 3: Encryption Implementation Locations [5]

IPSec implements network layer encryption and authentication by providing an end
end security solution in th
e network architecture itself. Thus the end systems and
applications do not need any changes to have the advantage of strong security. Because
the encrypted packets look like ordinary IP packets, they can be easily routed through any
IP network, such as th
e Internet, without any changes to the intermediate networking
equipment. The only devices that know about the encryption are the end points. This
feature greatly reduces both implementation and management costs.

IPSec combines several different security t
echnologies into a complete system to provide
confidentiality, integrity, and authenticity. In particular, IPSec uses:

Hellman key exchange for deriving key material between peers on a public

Public key cryptography for signing the Diffie
llman exchanges to guarantee
the identity of the two parties and avoid man
middle attacks

Bulk encryption algorithms, such as DES, for encrypting the data

Keyed hash algorithms, such as HMAC, combined with traditional hash
algorithms such as MD5 or

SHA for providing packet authentication.

Digital certificates signed by a certificate authority to act as digital ID cards.


IPSec defines a new set of headers to be added to IP datagrams. These new headers are
placed after the IP header and before the La
yer 4 protocol (typically Transmission
Control Protocol [TCP] or User Datagram Protocol [UDP]). These new headers provide
information for securing the payload of the IP packet as follows:

Authentication Header: (AH
This header, when added to an IP datagr
am, ensures the
integrity and authenticity of the data, including the invariant fields in the outer IP header.
It does not provide confidentiality protection. AH uses a keyed
hash function rather than
digital signatures, because digital signature technolog
y is too slow and would greatly
reduce network throughput.

Encapsulating Security Payload: (ESP)
This header, when added to an IP datagram,
protects the confidentiality, integrity, and authenticity of the data. If ESP is used to
validate data integrity, i
t does not include the invariant fields in the IP header.

IPSec provides two modes of operation

Transport and Tunnel modes as shown in
following figure.

Figure 4: Tunnel and Transport Modes [5]

In transport mode, only the IP payload is encrypted, a
nd the original IP headers are left
intact. This mode has the advantage of adding only a few bytes to each packet. It also
allows devices on the public network to see the final source and destination of the packet.
This capability allows you to enable spec
ial processing (for example, quality of service)
in the intermediate network based on the information in the IP header. However, the
Layer 4 header will be encrypted, limiting the examination of the packet. Unfortunately,
by passing the IP header in the cl
ear, transport mode allows an attacker to perform some
traffic analysis.

In tunnel mode, the entire original IP datagram is encrypted, and it becomes the payload
in a new IP packet. This mode allows a network device, such as a router, to act as an
proxy. That is, the router performs encryption on behalf of the hosts. The source’s


router encrypts packets and forwards them along the IPSec tunnel. The destination’s
router decrypts the original IP datagram and forwards it on to the destination system. T
major advantage of tunnel mode is that the end systems do not need to be modified to
enjoy the benefits of IP Security. Tunnel mode also protects against traffic analysis. With
tunnel mode, an attacker can only determine the tunnel endpoints and not the

true source
and destination of the tunneled packets, even if they are the same as the tunnel endpoints.

Each IPSec connection can provide either encryption; integrity and authentication, or
The security association is the method that IPSec uses to
track all the particulars
concerning a given IPSec communication session. A Security Association (SA) is a
relationship between two or more entities that describes how the entities will use security
services to communicate securely. The security associatio
n is unidirectional, meaning
that for each pair of communicating systems there are at least two security connections.
The security association is uniquely identified by a randomly chosen unique number
called the security parameter index (SPI) and the desti
nation IP address of the destination.
When a system sends a packet that requires IPSec protection, it looks up the security
association in its database, applies the specified processing, and then inserts the SPI from
the security association into the IPSec

header. When the IPSec peer receives the packet, it
looks up the security association in its database by destination address and SPI and then
processes the packet as required.

4. VPN Applications

Two main applications of VPN are:

Remote Access [2]

site Connectivity [2]

Remote Access:

Business professionals who travel frequently or who often work at home after hours find
this solution to be of great benefit to their ability to get things done. No matter where they
are, secure access to thei
r entire business is only a local telephone call away. This is also
a useful solution for cases where key personnel need to be away from the office for an
extended period of time.

Connections for mobile and remote users have traditionally been achieved usi
ng analog
or ISDN switched services. Small offices that could not afford permanent connections to
the corporate Intranet would also use these dial
up technologies. The long distance
charges would be the largest cost of this type of remote connectivity. Oth
er costs include
investment in a Remote Access Server (RAS) at the central site as well as the technical
support personnel necessary for configuring and maintaining the RAS.

The situation has changed after the arrival of VPNs.
Remote users can establish d
connections to local ISPs and connect, via the Internet, to a VPN server at headquarters.
Using today’s faster Internet connections, employees access corporate resources at speeds
well exceeding 500 kbps. Under most conditions, this is like being at

a desk in the


corporate headquarters building. VPN enables mobile and remote employees to work
faster and more efficiently. In this application, the VPN benefits include replacement of
distance or 800
number services, elimination of the need for remo
te access servers
and modems, and access to all enterprise data and applications.

site Connectivity:

The global business village of today’s marketplace often requires companies to establish
regional and international branch offices. The options

have traditionally been either to
deploy dedicated leased
line services or to use the same dial
up technologies as mobile
To connect branch offices to headquarters, businesses would previously outfit
each remote location with a router that connec
ted the campus to a backbone router over a
LAN or WAN link. The remote routers also connected the branch office with the other
remote locations. All these routers were often connected with a web of leased line or
Frame Relay service. The cost for this conf
iguration included the campus and backbone
routers as well as the charges for telecommunications services, most significantly, the
long distance charges, is usually very high.

Using a VPN solution for this application, the backbone WAN, and its associated
hardware, is replaced by the Internet. Each remote location incurs the cost of an Internet
connection. Using the Internet pipeline, one can also eliminate the backbone routers and
their system administration, configuration, technical support, and routing
maintenance. Performance is also likely to be enhanced in this application thanks to the
speed facilities within the Internet network.

5. Conclusion

Before the Virtual Private Networks, the large corporations had set up their intranets
ng costly leased line services, Frame Relay, and ATM to incorporate remote
employees and distant offices. As the popularity of the Internet grew, small and medium
size companies, who couldn’t afford the above dedicated leased lines solution got chance
to u
pgrade their intranets to the web. But the fundamental problem was of “

the Internet is subject to many threats, including loss of privacy, loss of data integrity,
identity spoofing and denial

Virtual Private Networks offered a so
lution to this problem by using special tunneling
protocols and complex encryption procedures to achieve data integrity and privacy. A
designed VPN uses Firewalls, Tunnels, Encryption and Authentication to keep the
connection and data secure.

Basic VP
N protocols include PPTP, L2F, L2TP, Socks5 and IPSec. Out of these, IPSec is
the standards
based method of providing privacy, integrity, and authenticity to
information transferred across IP networks.

VPN is useful in many applications like Remote Access

and Site
site Connectivity.



[1] Jeff Tyson:
How Virtual Private Networks Work

[2] A Technology Guide from ADTRAN:
Understanding Virtual Private Networking


[3] International Engineering Consortium:
Virtual Private Networks (VPNs)

[4] Christopher McDonald, AMS Center for Advanced Technologies (AMSCAT):
Virtual Private Networks: An Overview

[5] Cisco Systems, Inc.:
IPSec (white paper)

[6] Internetworking Technologies Handbook:
Virtual Private Networks