Performance Evaluation for Remote Access VPNs on Windows Server 2003

equableunalaskaΑσφάλεια

9 Δεκ 2013 (πριν από 3 χρόνια και 10 μήνες)

103 εμφανίσεις

The Higher Institute of
Industry
-

Misurata

1st International Workshop on MOBILE and Wireless
SECURITY (WMS’08)

16
-
19 / 9/ 2008 Cardiff
-

Wales

Performance Evaluation for Remote Access
VPNs on Windows Server
2003


By:

Ahmed A. Jaha

Fathi Ben Shatwan

Majdi Ashibani

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Outlines


Paper Objectives


VPN Overview.


Experimental Testbeds


Experimental Results


Conclusions and Future Work.

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Paper Objectives

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Paper Objectives


Overview

of

VPN


Survey

popular

remote

access

VPN

solutions

that

are

widely

available


Performance

evaluation

of

these

solutions

on

wired

and

wireless

windows

server

2003

platform

experimentally
.


Identify

issues

that

have

future

research

potential


The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

VPN Overview

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Internet

What is VPN?

Acme Corp

Site 1

VPN

VPN

Site 2

VPN

can

be

defined

as

a

way

to

provide

secure

communication

between

members

of

a

group

through

use

of

the

public

telecommunication

infrastructure

(usually

the

Internet),

maintaining

privacy

through

the

use

of

a

tunneling

protocol

and

security

procedures
.

VPN

systems

provide

users

with

the

illusion

of

a

completely

private

network
.

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Tunneling


Method

of

using

an

internetwork

infrastructure

to

transfer

data

from

one

network

over

another

network

(encapsulation,

transmission,

and

decapsulation

of

packets)

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Security of VPN


Authentication


Authentication

ensures

that

the

data

is

coming

from

the

source

from

which

it

claims

to

come
.

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Security of VPN


Authentication


Access

Control


Access

control

concept

relates

to

the

accepting

or

rejecting

of

a

particular

requester

to

have

access

to

some

service

or

data

in

any

given

system
.

It

is

therefore

necessary

to

define

a

set

of

access

rights,

privileges,

and

authorizations,

and

assign

these

to

appropriate

people

within

the

domain

of

the

system

under

analysis
.


The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Security of VPN


Authentication


Access

Control


Confidentiality



Confidentiality

ensures

the

privacy

of

information

by

restricting

an

unauthorized

users

from

reading

data

carried

on

the

public

network
.

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales


Authentication


Access

Control


Confidentiality



Data

Integrity


Data

Integrity

verifies

that

a

data

has

not

been

altered

during

its

travel

over

the

public

network
.


Security of VPN

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Benefits of VPN


Cost


VPN

eliminate

the

fixed

monthly

charge

of

dedicated

leased

lines
.


The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales


Cost


Scalability


As

the

enterprise

grows,

full
-
mesh

connectivity

might

be

required

between

the

different

offices
.

This

means

that

the

number

of

leased

lines,

and

the

total

cost

associated

with

deploying

them,

increases

exponentially
.



VPN

that

utilizes

the

Internet

avoid

this

problem

by

simply

using

the

infrastructure

already

available
.


Benefits of VPN

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales


Cost


Scalability


Security



Security

is

not

impaired

when

using

VPN

since

transmitted

data

is

either

encrypted

or,

if

sent

unencrypted,

forwarded

through

trusted

networks
.


Benefits of VPN

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales


Cost


Scalability


Security



Productivity


In

addition

to

cost

savings,

VPN

increases

profits

by

improving

productivity
.


The

improved

productivity

results

from

the

ability

to

access

resources

from

anywhere

at

anytime
.

Benefits of VPN

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Architecture of VPN



Remote Access VPN


User
-
to
-
LAN

connection

used

by

enterprises

that

have

employees

who

need

to

connect

to

their

private

network

from

various

remote

locations

(e
.
g
.

homes,

hotel

rooms,

airports)
.


Internet

Enterprise main

site

Remote

User

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales


Remote Access VPN


Intranet Site
-
to
-
Site VPN


LAN
-
to
-
LAN

connection

used

to

connect

enterprise’s

offices

over

Internet

Enterprise main

site

Enterprise branch

site

Internet

Architecture of VPN


The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales


Remote Access VPN


Intranet Site
-
to
-
Site VPN


Extranet Site
-
to
-
Site VPN


LAN
-
to
-
LAN

connection

Provides

business

partners,

suppliers,

and

customers

access

to

certain

data
.

Enterprise main

Site

Internet

Partner Site

Supplier Site

Architecture of VPN


The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Remote Access VPN Protocols (L2)


Point to Point Tunneling Protocol (PPTP)


Developed

by

microsoft

and

others

(RFC

2637
)
.


Extension

of

Point

to

Point

Protocol

(PPP)
.


Clients

are

included

in

all

versions

of

Windows

since

Windows

95
.



Servers

are

included

in

all

windows

server

products

since

Windows

NT
.


Clients

and

servers

are

supported

in

Linux
.

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales


Point to Point Tunneling Protocol (PPTP)


Layer Two Tunneling Protocol (L2TP)


Developed

by

IETF

(RFC

2661
)
.


Combines

best

features

of

L
2
F

and

PPTP
.


Commonly

used

with

IPSec

-
>

L
2
TP/IPSec
.


Clients

are

included

in

windows

xp,

2000
,

and

2003
.


Servers

are

included

in

windows

server

2000

and

2003
.


Clients

and

servers

are

supported

in

Linux
.

Remote Access VPN Protocols (L2)

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales


Point to Point Tunneling Protocol (PPTP)


Layer Two Tunneling Protocol (L2TP)


Internet Protocol Security (IPSec)


Framework

Developed

by

IETF

(RFCs

2401
-
2411

and

2451

)
.


IPSec

is

supported

in

Windows

XP,

2000
,

2003

and

Vista,

in

Linux

2
.
6

and

later
.


Many

vendors

supply

IPSec

VPN

servers

and

clients
.

Remote Access VPN Protocols (L
3
)

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales


Point to Point Tunneling Protocol (PPTP)


Layer Two Tunneling Protocol (L2TP)


Internet Protocol Security (IPSec)


Secure Socket Layer (SSL)


Higher layer security protocol developed by Netscape.


Used with HTTP to enable secure Web browsing (HTTPS).


Supported by most browsers and servers


SSL can also be used to create a VPN tunnel

(
OpenVpn).


Open
-
source VPN package for Linux and Windows.

Remote Access VPN Protocols (L5)

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Experimental Testbeds

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Performance Metrics


Throughput



The

rate

at

which

bulk

of

data

transfers

can

be

transmitted

from

one

host

to

another

over

a

sufficiently

long

period

of

time
.


The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales


Throughput



Round

Trip

Time

(RTT)



The

amount

of

time

it

takes

one

packet

to

travel

from

one

host

to

another

and

back

to

the

originating

host
.

Performance Metrics

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales


Throughput



Round

Trip

Time

(RTT)



Packet

delay

variation

(Jitter)



The

variation

of

packet

delay

where

delays

actually

impact

the

quality

of

service
.


Performance Metrics

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales


Throughput



Round

Trip

Time

(RTT)



Packet

delay

variation

(Jitter)



Packet

loss



The

portion

of

packets

transmitted

but

not

received

in

the

destination

compared

to

the

total

number

or

packets

transmitted
.

Performance Metrics

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Wired Testbed Setup

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Wired Testbed Setup

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Wired Testbed Setup

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Wired Testbed Setup

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Wired Testbed Setup

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Wireless Testbed Setup

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Iperf

client

Throughput/Jitter/Losses

Performance measurement Tools
(Iperf)

Iperf

server

Throughput/Jitter/Losses

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Hrping

Round Trip Time (RTT)

Performance measurement Tools
(Hrping)

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Experimental Results

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

TCP throughput

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

TCP throughput

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Round Trip Time (RTT)

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

UDP Throughput

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Jitter

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Packet Loss

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Wired Testbeds Results

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

24.55

Packet loss in multiple of no VPN

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

377.18

Jitter in multiple of no VPN

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

6.65 %

UDP throughput in % of no VPN

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

2.86

2.52

1.98

Round Trip Time (RTT) in multiple of no VPN

Wired
OpenVPN

Wired
L
2
TP/IPSec

Wired
PPTP

52.59 %

55.23 %

82.37 %

TCP throughput in % of no VPN

68.12 %

3.49

2.53

51.04 %

4.34

5.27

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Wired Testbeds Results

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

24.55

Packet loss in multiple of no VPN

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

377.18

Jitter in multiple of no VPN

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

6.65 %

UDP throughput in % of no VPN

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

2.86

2.52

1.98

Round Trip Time (RTT) in multiple of no VPN

Wired
OpenVPN

Wired
L
2
TP/IPSec

Wired
PPTP

52.59 %

55.23 %

82.37 %

TCP throughput in % of no VPN

68.12 %

3.49

2.53

51.04 %

4.34

5.27

The Higher Institute of
Industry
-

Misurata

WMS’
08

16
-
19
/
9
/
2008
Cardiff
-

Wales

Wired Testbeds Results

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

24.55

Packet loss in multiple of no VPN

Wired
OpenVPN

Wired
L
2
TP/IPSec

Wired
PPTP

377.18

Jitter in multiple of no VPN

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

6.65 %

UDP throughput in % of no VPN

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

2.86

2.52

1.98

Round Trip Time (RTT) in multiple of no VPN

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

52.59 %

55.23 %

82.37 %

TCP throughput in % of no VPN

68.12 %

3.49

2.53

51.04 %

4.34

5.27

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Wired Testbeds Results

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

24.55

Packet loss in multiple of no VPN

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

377.18

Jitter in multiple of no VPN

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

6.65
%

UDP throughput in % of no VPN

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

2.86

2.52

1.98

Round Trip Time (RTT) in multiple of no VPN

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

52.59 %

55.23 %

82.37 %

TCP throughput in % of no VPN

68.12
%

3.49

2.53

51.04 %

4.34

5.27

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Wireless Testbeds Results

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

5.02

Packet loss in multiple of no VPN

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

44.76

Jitter in multiple of no VPN

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

8.44 %

UDP throughput in % of no VPN

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

1.60

1.50

1.33

Round Trip Time (RTT) in multiple of no VPN

Wired
OpenVPN

Wired
L2TP/IPSec

Wired
PPTP

53.85 %

68.38 %

83.33 %

TCP throughput in % of no VPN

65.68 %

1.43

1.64

59.98 %

2.20

1.51

The Higher Institute of
Industry
-

Misurata

WMS’
08

16
-
19
/
9
/
2008
Cardiff
-

Wales

Conclusions and Future Work

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Conclusions


Testbeds

have

been

built

to

evaluate

the

performance

of

remote

access

VPN

solutions

(PPTP,

L
2
TP/IPSec,

and

OpenVPN)

on

wired

and

wireless

windows

server

2003

platform
.


Performance

metrics

(Throughput,

RTT,

Jitter,

and

packet

loss)

have

been

measured

in

both

TCP

and

UDP

mode
.

These

metrics

are

used

in

our

experiments

as

they

have

a

direct

impact

on

the

ultimate

performance

perceived

by

end

user

applications
.



The

wireless

testbed

performance

values

indicate

that

the

deployment

of

VPNs

on

a

wireless

network

infrastructure

could

be

considered

as

an

acceptable

choice

to

secure

transmission

between

wireless

clients

and

their

enterprise

network
.


The Higher Institute of
Industry
-

Misurata

WMS’
08

16
-
19
/
9
/
2008
Cardiff
-

Wales

Future Work


The

performance

of

software
-
based

VPN

solutions

on

platforms

other

than

windows

server

2003

(such

as

Linux,

BSD,

Mac,

and

Solaris)

can

be

evaluated

to

select

the

best

platform

that

will

be

used

to

implement

the

software
-
based

VPN

solutions
.


The

performance

evaluation

of

hardware
-
based

VPN

solutions

using

different

hardware

VPN

products

(such

as

3
Com,

ADTRAN,

Cisco,

and

Juniper)

should

be

investigated

as

well
.



The

OpenVPN

needs

to

be

manipulated

to

improve

it’s

performance

in

high

traffic

environment
.

The Higher Institute of
Industry
-

Misurata

WMS’08

16
-
19 / 9/ 2008 Cardiff
-

Wales

Thank you for your attention