Y398 IPP F2002

loyalsockvillemobΔίκτυα και Επικοινωνίες

27 Οκτ 2013 (πριν από 3 χρόνια και 11 μήνες)

128 εμφανίσεις


Page
1

of
31

Y398


I
NTERNSHIP AND
P
ROFESSIONAL
P
RACTICE




F
ALL
2002




B
Y
:


W
ILL
L
EWIS

D
EPARTMENT OF
C
OMPUTER AND
I
NFORMATION
S
CIENCES

I
NDIANA
U
NIVERSITY
S
OUTH
B
END






V
IRTUAL
P
RIVATE
N
ETWORKS
(VPN)




Virtual Private Networks (VPN)



Page
2

of
31

V
IRTUAL
P
RIVATE
N
ETWORKS
(VPN)

B
Y
W
ILL
L
EWIS




I
NTRODUCTION


A recent trend in industry is for their employees to become increasingly more mobile and
for their network needs to grow. With these new innovations comes a greater demand on
company’s information technology managers. These information managers must pla
n and
implement strategies that will allow for the expansion of company resources well beyond the
safe confines of the company intranet. One of the more popular solutions to an expanding local
area networks (LAN) into a much larger wide area networks (WAN
) or even an international
network is the implementation of a virtual private network or VPN. This combination of
software and hardware allows information managers to safely send and receive data over the use
of the Internet, without having to support and

maintain costly dial in lines. With this
implementation comes new security requirements in order to secure and maintain vital company
information. Many vendors also exist that allow small to medium sized companies to completely
outsource their VPN solut
ion as opposed to implementing and maintaining such a complex
system themselves. This paper attempts to discuss the different aspects of a VPN solution to
network expansion problems and mobile users. It is divided into five sections including VPN
Specifi
cations, Basic VPN Requirements, Tunneling, Advanced Security Features, and
Conclusion.

VPN

S
PECIFICATIONS

Basically a virtual private network is composed of a VPN Server at the company end of
the connection (typically with access to an company’s intranet)
, a secure VPN Tunnel to transmit
and receive data, and a VPN client at the other end (typically a mobile or remote location user).
Virtual Private Networks (VPN)



Page
3

of
31

The data travels between these two points based on a transit internetwork, which encrypts the
data to preserve it.

Microso
ft (6)


Depending on the requirements of a particular business, a virtual private network can be
implemented to allow communication between any network resource in a particular branch office
with any network resource at the corporate office, or the focus
can be narrowed to where a VPN
only allows an individual network resource in the branch office to connect to only one or two
network resources at the corporate headquarters. These different requirements represent some of
the characteristics of basic netwo
rk connectivity that should be addressed before a VPN solution
is considered. Some other requirements used to determine network connectivity include security
policy, business models, intranet server access, application requirements, data sharing, and
appl
ication server access. Depending on the needs of a business, a VPN can be configured to
simply expand an already existing intranet, or it can be configured to allow other business
partners to have access to certain aspects of the business also. These are

referred to as intranet
VPN and extranet VPN. With an intranet VPN, all network and VPN resources are managed by
a single organization. With an extranet VPN, no single organization has management control
over all network and VPN resources; rather each c
ompany manages its own VPN equipment.
The extranet VPN configuration process involves first configuring a portion of the VPN and then
exchanging with partner VPN management organizations the needed subset of configuration
information.

Virtual Private Networks (VPN)



Page
4

of
31

B
ASIC
VPN

R
EQUIREMEN
TS

Once the company has established business requirements and has decided whether they
are going to implement an intranet VPN or an extranet VPN, they must understand the basic
requirements of VPN and consider that these requirements stand true regardless
of if they choose
to implement an in house solution, or if they outsource. These criterion define characteristics
that they should seek out in commercially available packages or that they should implement if
they are producing their own VPN. Therefore, a
ny VPN solution should provide at least all of
the following:



User Authentication
. The solution must verify the VPN client’s identity and restrict
VPN access to authorized users only. It must also provide audit and accounting records
to show who accessed

what information and when.



Address Management
. The solution must assign a VPN client’s address on the intranet
and ensure that private addresses are kept private.



Data Encryption
. Data carried on the public network must be rendered unreadable to
unautho
rized clients on the network.



Key Management
. The solution must generate and refresh encryption keys for the client
and server.



Multiprotocol Support
. The solution must handle common protocols used in the public
network. These include IP
(Appendix I)
, In
ternetwork Packet Exchange (IPX)
(Appendix II)
, and
so on.


An Internet VPN solution based on Point
-
To
-
Point Tunneling Protocol (PPTP)
(Appendix III)

or Layer Two Tunneling Protocol (L2TP)
(Appendix IV)

meets all of these basic requirements and
takes advantag
e of the broad availability of the Internet. Other solutions, including Internet
Virtual Private Networks (VPN)



Page
5

of
31

Protocol Security (IPSec)
(Appendix V)
, meet only some of these requirements, but remain useful for
specific situations.

T
UNNELING

Tunneling is a method of using an internetw
ork infrastructure to transfer data for one
network over another network. The data to be transferred (or payload) can be the frames (or
packets) of another protocol. In order to proceed in a logical manner a distinction should be
made between the notion
of a packet and a frame. By definition, a frame is a packet as it is
transmitted across a serial line. The term derives from character oriented protocols that added
special start
-
of
-
frame and end
-
of
-
frame characters when transmitting packets. Frames are

essentially the objects that physical networks transmit. A packet is any small block of data sent
across a network. It essentially makes up the frames that are transmitted across the physical
layers of the network. We use the Instead of sending a fram
e as it is produced by the originating
node, the tunneling protocol encapsulates the frame in an additional header. The additional
header provides routing information so that the encapsulated payload can traverse the
intermediate network.


Microsoft (6)

The encapsulated packets are then routed between tunnel endpoints over the
internetwork. The logical path through which the encapsulated packets travel through the
internetwork is called a tunnel. Once the encapsulated frames reach their destination on t
he
Virtual Private Networks (VPN)



Page
6

of
31

internetwork, the frame is decapsulated and forwarded to its final destination. Tunneling
includes this entire process (encapsulation, transmission, and decapsulation of packets).


For a tunnel to be established, both the tunnel client and the tunnel s
erver must be using
the same tunneling protocol. Tunneling technology can be based on either a Layer 2 or a Layer 3
tunneling protocol. These layers correspond to the Open Systems Interconnection (OSI)
Reference Model
(Appendix XVI)
. Layer 2 protocols cor
respond to the data
-
link layer and use frames
as their unit of exchange. PPTP and L2TP or Layer 2 tunneling protocols; both encapsulate the
payload in a point
-
to
-
point or PPP
(Appendix VI)

frame to be sent across an internetwork.
L3TP
(Appendix VII)

or Lay
er 3 protocols correspond to the Network layer, and use packets. IPSec
tunnel mode is an example of a Layer 3 tunneling protocol and encapsulate IP packets in an
additional IP header before sending them across an IP internetwork.

A
DVANCED
S
ECURITY
F
EATURE
S

The Internet facilitates the creation of VPNs from anywhere which means that networks
need strong security features to prevent unwelcome access to private networks and to protect
private data as it traverses the public network. User authentication and d
ata encryption have
already been discussed, but this next section provides a brief look ahead to the stronger
authentication and encryption capabilities that are available with Extensible Authentication
Protocol (EAP)
(Appendix VIII)

and IPSec.

The first ad
vanced security feature worthy of discussion is symmetric (private
-
key)
encryption and asymmetric (public
-
key) encryption. Symmetric encryption (also known as
conventional encryption) is based on a secret key that is shared by both communicating parties.

The sending party uses the secret key as part of the mathematical operation to encrypt (or
encipher) plain text to cipher text. The receiving party uses the same secret key to decrypt (or
Virtual Private Networks (VPN)



Page
7

of
31

decipher) the cipher text to plain text. Examples of symmetric en
cryption schemes are the RSA
RC4 algorithm
(Appendix IX)

(which provides the basis for Microsoft Point
-
To
-
Point Encryption
(MPPE)
(Appendix X)
, Data Encryption Standard (DES)
( Appendix XI)
, the International Data Encryption
Algorithm (IDEA)
(Appendix XII)
, and

the Skipjack encryption technology
(Appendix XIII)

proposed by the
United States government. Asymmetric encryption uses two different types for each user: one is
a private key known only to this one user; the other is a corresponding public key, which is

accessible to anyone. The private and public keys are mathematically related by the encryption
algorithm. One key is used for encryption and the other for decryption, depending on the nature
of the communication service being implemented. In addition,
public key encryption
technologies allow digital signatures to be placed on messages. A digital signature uses the
sender’s private key to encrypt some portion of the message. When the message is received, the
receiver uses the sender’s public key to dec
ipher the digital signature to verify the sender’s
identity.

With symmetric encryption, both sender and receiver have a shared secret key. The
distribution of the secret key must occur (with adequate protection) prior to any encrypted
communication. Howe
ver, with asymmetric encryption, the sender uses a private key to encrypt
or digitally sign messages, while the receiver uses a public key to decipher these messages. The
public key can be freely distributed to anyone who needs to receive the encrypted or

digitally
signed messages. The sender needs to carefully protect the private key only. To secure the
integrity of the public key, the public key is published with a certificate. A certificate (or public
key certificate) is a data structure that is digi
tally signed by a certification authority (CA)


an
authority that users of the certificate can trust. The certificate contains a series of values, such as
the certificate name and usage, information identifying the owner of the public key, the public
Virtual Private Networks (VPN)



Page
8

of
31

key

itself, an expiration date, and the name of the certificate authority. The CA uses its private
key to sign the certificate. If the receiver knows the public key of the certificate authority, the
receiver can verify that the certificate is indeed from th
e trusted CA and, therefore, contains
reliable information and a valid public key. Certificates can be distributed electronically
(through Web access or e
-
mail), on smart cards, or on floppy disks.

C
ONCLUSION


Virtual private networks allow users or corpo
rations to connect to remote servers, branch
offices, or to other companies over a public internetwork, while maintaining secure
communications. In all of these cases, the secure connection appears to the user as a private
network communication


despite
the fact that this communication occurs over a public
internetwork. VPN technology is designed to address issues surround the current business trend
toward increased telecommuting and widely distributed global operations, where workers must
be able to con
nect to central resources and communicate with each other.

Virtual Private Networks (VPN)



Page
9

of
31






A
PPENDIXES










Virtual Private Networks (VPN)



Page
10

of
31

APPENDIX I: IP (Internet Protocol)

(Information From Source In Works Cited #11)


IP

(I
NTERNET
P
ROTOCOL
)



Internet Protocol (IP) is the method or protocol by which data is

sent from one computer
to another on the Internet. Each computer (known as a host) on the Internet has at least one IP
address that uniquely identifies it from all other computers on the Internet. When you send or
receive data (for example, an e
-
mail no
te or a Web page), the message gets divided into little
chunks called packets. Each of these packets contains both the sender’s Internet address and the
receiver’s address. Any packet is sent first to a gateway computer that understands a small part
of t
he Internet. The gateway computer reads the destination address and forwards the packet to
an adjacent gateway that in turn reads the destination and so forth across the Internet until one
gateway recognizes the packet as belonging to a computer within it
s immediate neighborhood or
domain. That gateway then forwards the packet directly to the computer whose address is
specified.


Because a message is divided into a number of packets, each packet can, if necessary, be
sent by a different route across the I
nternet. Packets can arrive in a different order than the order
they were sent in. The Internet Protocol just delivers them. It’s up to another protocol, the
Transmission Control Protocol (TCP) to put them back in the right order.


IP is a connectionles
s protocol, which means that there is no continuing connection
between the end points that are communicating. Each packet that travels through the Internet is
treated as an independent unit of data without any relation to any other unit of data. (The rea
son
the packets do get put in the right order is because of TCP, the connection
-
oriented protocol that
keeps track of the packet sequence in a message.) In the Open Systems Interconnection (OSI)
communication model, IP is in layer 3, the Networking Layer.


The most widely used version of IP today is Internet Protocol Version 4 (IPv4).
However, IP Version 6 (IPv6) is also beginning to be supported. IPv6 provides for much longer
addresses and therefore for the possibility of many more Internet users. IPv6

includes the
capabilities of IPv4 and any server that can support IPv6 packets can also support IPv4 packets.



Virtual Private Networks (VPN)



Page
11

of
31

APPENDIX II: Internetwork Packet Exchange (IPX)

(Information From Source In Works Cited #12)


I
NTERNETWORK
P
ACKET
E
XCHANGE
(IPX)



IPX (Intern
etwork Packet Exchange) is a networking protocol from Novell that
interconnects networks that use Novell’s NetWare clients and servers. IPX is a datagram or
packet protocol. IPX works at the Network Layer of communication protocols and is
connectionless
(that is, it doesn’t require that a connection be maintained during an exchange of
packets as, for example, a regular voice phone call does.)

Packet acknowledgment is managed by another Novell protocol, the Sequenced Packet
Exchange (SPX). Other related N
ovell NetWare protocols are: the Routing Information Protocol
(RIP), the Service Advertising Protocol (SAP), and the NetWare Link Services Protocol (NLSP).
Virtual Private Networks (VPN)



Page
12

of
31

APPENDIX III: Point
-
To
-
Point Tunneling Protocol (PPTP)

(Information From Source In Works Cited #5)


P
OINT
-
T
O
-
P
OINT
T
UNNELING
P
ROTOCOL
(PPTP)


You can access a private network through the Internet or other public network by using a
virtual private network connection with the Point
-
to
-
Point Tunneling Protocol (PPTP). PPTP
enables the secure transfer of da
ta from a remote computer to a private server by creating a VPN
across TCP/IP
-
based data networks. PPTP supports on
-
demand, multiprotocol, virtual private
networking over public networks, such as the Internet.

Developed as an extension of the Point
-
to
-
Poin
t Protocol (PPP), PPTP adds a new level
of enhanced security and multiprotocol communications over the Internet. Specifically, by using
the new Extensible Authentication Protocol (EAP), data transfer through a PPTP
-
enabled VPN is
as secure as within a sing
le LAN at a corporate site.

PPTP tunnels or encapsulates, IP, IPX, or NetBEUI protocols inside of PPP datagrams.
This means that you can remotely run applications that are dependent upon particular network
protocols. The tunnel server performs all securit
y checks and validations, and enables data
encryption, which makes it much safer to send information over non
-
secure networks. You can
also use PPTP in private LAN
-
to
-
LAN networking.



PPTP does not require a dial
-
up connection. It does, however, require IP connectivity
between your computer and the server. If you are directly attached to an IP LAN and can reach a
server, then you can establish a PPTP tunnel

across the LAN. If, however, you are creating a
tunnel over the Internet, and your normal Internet access is a dial
-
up connection to an ISP, you
must dial up your Internet connection before you can establish the tunnel
.
Virtual Private Networks (VPN)



Page
13

of
31

APPENDIX IV: Layer Two Tunneling Pr
otocol (L2TP)

(Information From Source In Works Cited #6)


L
AYER
T
WO
T
UNNELING
P
ROTOCOL
(L2TP)


You can access a private network through the Internet or other public network by using a
virtual private network connection with the Layer Two Tunneling Protoco
l (L2TP). L2TP is an
industry
-
standard Internet tunneling protocol with roughly the same functionality as the Point
-
to
-
Point Tunneling Protocol (PPTP). The Windows

2000 implementation of L2TP is designed to
run natively over IP networks. This implementati
on of L2TP does not support native tunneling
over X.25, Frame Relay, or ATM networks.

Based on the Layer Two Forwarding (L2F) and Point
-
to
-
Point Tunneling Protocol
(PPTP) specifications, you can use L2TP to set up tunnels across intervening networks. Like

PPTP, L2TP encapsulates Point
-
to
-
Point Protocol (PPP) frames, which in turn encapsulate IP,
IPX, or NetBEUI protocols, thereby allowing users to remotely run applications that are
dependent upon specific network protocols.



With L2TP, the computer running Windows

2000 Server that you are logging on to
performs all security checks and validations, and enables data encryption, which makes it much
safer to sen
d information over non
-
secure networks. By using the new Internet Protocol security
(IPSec) authentication and encryption protocol, data transfer through a L2TP
-
enabled VPN is as
secure as within a single LAN at a corporate site.

The Data
-
Link layer is the

protocol layer in a program that handles the moving of data in
and out across a physical link in a network. The Data
-
Link layer is layer 2 in the Open Systems
Interconnect (OSI) model for a set of telecommunication protocols.

The Data
-
Link layer contains

two sub layers that are described in the IEEE
-
802 LAN
standards:



Media Access Control (MAC)



Logical Link Control (LLC)

The Data
-
Link layer ensures that an initial connection has been set up, divides output
data into data frames, and handles the acknowl
edgements from a receiver that the data arrived
successfully. It also ensures that incoming data has been received successfully by analyzing bit
patterns at special places in the frames.

Virtual Private Networks (VPN)



Page
14

of
31


APPENDIX V: Internet Protocol Security (IPSec)

(Information From So
urce In Works Cited #21)


I
NTERNET
P
ROTOCOL
S
ECURITY
(IPS
EC
)


The IPSec protocol suite is a set of IP extensions that provide security services at the
network level that is compatible with the current version of IP (IPv4) as well as IPv6.

IPSec protocols a
re standards
-
based and provide the three factors needed for secure
communications


authentication, integrity, and confidentiality


even in large networks. The
end
-
result is that with IPSec
-
compliant products, you can build a secure VPN in any existing I
P
-
based network.

Network level security is the feature that set IPSec apart from other Internet security
technologies, which secure communications at the application layer and are application specific.
Because IPSec secures communications at the network l
ayer (OSI layer 3), it is effective
regardless of the application being used.

Another differentiating factor is that the network layer in IP networks is entirely
homogeneous, and it’s the only layer that is. This means that any communication passing
throu
gh an IP network has to use the IP protocol. In other layers, different protocols hold sway
in different areas for different reasons, depending on the network architecture and the type of
communication. But sooner or later everything has to go through th
e network layer, and there is
only one protocol used in that layer


IP. So, if the network layer is secure, the network itself is
secure. This is precisely what IPSec is designed to do.

In other words, if you use IPSec suite where you would normally use

IP, you secure all
communications in your network


for all applications and for all users


more transparently than
you would using any other approach.

The IPSec protocol suite provides three interlocking technologies that combine to defeat
traditional t
hreats to IP based networks:

Authentication header (AH):

Information stored in the authentication header ties data in
each packet to a verifiable signature, allowing communicating parties to verify both the
identity of the person sending the data and that

the data has not been altered.








Encapsulating security payload (ESP):
The ESP encrypts (scrambles) data (and even
certain sensitive IP addresses) in each packet using hard
-
core encryption to secure it
against eavesdropping during transit.


Virtual Private Networks (VPN)



Page
15

of
31

Interne
t key exchange (IKE):

The IKE is a protocol negotiation and key exchange
protocol that allows communicating parties to negotiate methods of secure
communication. IKE allows users to agree on authentication methods, the keys to use,
and how long to use th
e keys before exchanging them.





Virtual Private Networks (VPN)



Page
16

of
31

APPENDIX VI: Point
-
To
-
Point Protocol (PPP)

(Information From Source In Works Cited #6)


P
OINT
-
T
O
-
P
OINT
P
ROTOCOL
(PPP)


The Point
-
to
-
Point Protocol (PPP) is a set of standard protocols that allow remote access
software fr
om different vendors to interoperate. A PPP
-
enabled connection can dial into remote
networks through any industry
-
standard PPP server. PPP also permits a computer running
Windows

2000 Server remote access to receive calls from, and provide network access t
o, other
vendors' remote access software that complies with the PPP standards.

The PPP standards also permit advanced features that are not available with older
standards such as SLIP. PPP supports several authentication methods, as well as data
compressio
n and encryption. With most PPP implementations, you can automate the entire logon
sequence.

PPP also supports multiple LAN protocols. You can use TCP/IP, IPX, or NetBEUI as
your network protocol. PPP is the basis for the PPTP and L2TP protocols, which ar
e used in
secure virtual private network connections.

Virtual Private Networks (VPN)



Page
17

of
31

APPENDIX VII: Layer Three Tunneling Protocol (L3TP)

(Information From Source In Works Cited #6)


L
AYER
T
HREE
T
UNNELING
P
ROTOCOL
(L3TP)


In the Open Systems Interconnection (OSI) communications model, t
he Network layer is
level three. It knows the address of the neighboring nodes in the network, packages output with
the correct network address information, selects routes and Quality Of Service (QoS)
(Appendix XIV)
,
and recognizes and forwards to the Tran
sport layer incoming messages for local host domains.
Among existing protocol that generally map to the OSI network layer are the Internet Protocol
(IP) part of TCP/IP and NetWare IPX/SPX. Both IP Version 4 and IP Version 6 (Ipv6) map to
the OSI network la
yer.

Virtual Private Networks (VPN)



Page
18

of
31

APPENDIX VIII: Extensible Authentication Protocol (EAP)

(Information From Source In Works Cited #13)


E
XTENSIBLE
A
UTHENTICATION
P
ROTOCOL
(EAP)


Extensible Authentication Protocol (EAP) is an extension to the Point
-
to
-
Point Protocol
(PPP). EAP was de
veloped in response to an increasing demand for remote access user
authentication that uses other security devices. EAP provides a standard mechanism for support
of additional authentication methods within PPP. By using EAP, support for a number of
authe
ntication schemes may be added, including token cards, one
-
time passwords, public key
authentication using smart cards, certificates, and others. EAP, in conjunction with strong EAP
authentication methods, is a critical technology component for secure vir
tual private network
connections because it offers more security against brute
-
force or dictionary attacks and
password guessing than other authentication methods, such as CHAP.

Virtual Private Networks (VPN)



Page
19

of
31

APPENDIX IX: RSA RC4 Algorithm

(Information From Source In Works Cited #14)


RSA

RC4

A
LGORITHM


The RSA cryptosystem is a public
-
key cryptosystem that offers both encryption and
digital signatures (authentication). Ronald Rivest, Adi Shamir, and Leonard Adleman developed
the RSA system in 1977; RSA stands for the first letter in e
ach of its inventors’ last names.

RC4 is a stream cipher designed by Rivest for RSA Data Security (now RSA Security).
It is a variable key
-
size stream cipher with byte
-
oriented operations. The algorithm is based on
the use of a random permutation.

Analys
is shows that the period of the cipher is overwhelmingly likely to be greater than
10
100
. Eight to sixteen machine operations are required per output byte, and the cipher can be
expected to run very quickly in software. Independent analysts have scrutini
zed the algorithm
and it is considered secure.

RC4 is used for file encryption in products such as RSA SecurPC. It is also used for
secure communications, as in the encryption of traffic to and from secure web sites using the
SSL protocol.
Virtual Private Networks (VPN)



Page
20

of
31

APPENDIX X: Mic
rosoft Point
-
To
-
Point Encryption (MPPE)

(Information From Source In Works Cited #15)


M
ICROSOFT
P
OINT
-
T
O
-
P
OINT
E
NCRYPTION
(MPPE)


Microsoft Point
-
to
-
Point Encryption (MPPE) encrypts data in PPP
-
based dial
-
up
connections or PPTP VPN connections. Strong (12
8
-
bit key) and standard (40
-
bit key) MPPE
encryption schemes are supported. MPPE provides data security between your PTTP connection
and the tunnel server. You can use the 40
-
bit version worldwide; it is built into every computer
running Windows 2000. T
he 128
-
bit level of encryption is available only in the United States
and Canada. You can enable the 128
-
bit version by installing a specific version of both client
and server software.

Virtual Private Networks (VPN)



Page
21

of
31

APPENDIX XI: Data Encryption Standard (DES)

(Information From Source

In Works Cited #16)


D
ATA
E
NCRYPTION
S
TANDARD
(DES)


Data Encryption Standard (DES) is a widely
-
used method of data encryption using a
private (secret) key judged so difficult to break by the U.S. government that it was restricted for
exportation to other

countries. There are 72,000,000,000,000,000 (72 quadrillion) or more
possible encryption keys that can be used. For each message, the key is chosen at random from
among this enormous number of keys. Like other private key cryptographic methods, both th
e
sender and the receiver must know and use the same private key.

It was developed in the 1970s by the National Bureau of Standards with the help of the
National Security Agency. Its purpose is to provide a standard method for protecting sensitive
commerc
ial and unclassified data. IBM created the first draft of the algorithm, calling it
LUCIFER. DES officially became a federal standard in November of 1976.

Virtual Private Networks (VPN)



Page
22

of
31

APPENDIX XII: International Data Encryption Algorithm (IDEA)

(Information From Source In Works Ci
ted #22)


I
NTERNATIONAL
D
ATA
E
NCRYPTION
A
LGORITHM
(IDEA)


IDEA (International Data Encryption Algorithm) is an encryption algorithm developed at
ETH in Zurich, Switzerland. It uses a block cipher with a 128
-
bit key, and is generally
considered to be very
secure. It is considered among the best publicly known algorithms. In the
several years that it has been in use, no practical attacks on it have been published despite of a
number of attempts to find some. IDEA is patented in the United States and in mo
st of the
European countries. The patent is held by Ascom
-
Tech. Non
-
commercial use of IDEA is free.

Virtual Private Networks (VPN)



Page
23

of
31

APPENDIX XIII: Skipjack Encryption Technology:

(Information From Source In Works Cited #17)


S
KIPJACK
E
NCRYPTION
T
ECHNOLOGY


SKIPJACK is a 64
-
bit “elect
ronic codebook” algorithm that transforms a 64
-
bit input
block into a 64
-
bit output block. The transformation is parameterized by an 80
-
bit key, and
involves performing 32 steps or iterations of a complex, nonlinear function. The algorithm can
be used in

any one of the four operating modes defined in FIPS 81 for use with the Data
Encryption Standard (DES).


The SKIPJACK algorithm was developed by NSA and is classified SECRET. It is
representative of a family of encryption algorithms developed in 1980 as
part of the NSA suite of
“Type I” algorithms, suitable for protecting all levels of classified data. The specific algorithm,
SKIPJACK, is intended to be used with sensitive but unclassified information.

Virtual Private Networks (VPN)



Page
24

of
31

APPENDIX XIV: Quality Of Service (QoS)

(Information

From Source In Works Cited #4)


Q
UALITY
O
F
S
ERVICE
(Q
O
S)


Quality Of Service (QoS) has to do with the minimum requirements for data quality
across a network. These specifications must be planned for well in advance so that they can be
implemented into th
e system. Quality of service (QoS) generally encompasses bandwidth
allocation, prioritization, and control over network latency for network applications. QoS aims
to ensure that a company’s mission critical traffic has acceptable performance. There are
three
QoS building blocks that make up a virtual private network. Those building blocks include
packet classification, bandwidth management, and congestion avoidance.

Packet classification groups packets based on predefined criteria so that the resultin
g
group of packets can then be subjected to specific packet treatments. The treatments might
include faster forwarding by intermediate routers and switches or lesser probability of the
packets being dropped due to lack of buffering resources.

Once traff
ic has been classified, the next step is to ensure that it receives special
treatment in the routers. This special treatment requires focus scheduling and queuing. In the
description that follows, a flow would be a group of packets which share a common c
riteria
whether that criteria is a source/destination IP address or TCP/UDP
(Appendix XV)

port number or a
protocol or a type of service (TOS) field. Two examples of bandwidth management
implementations include weighted fair queuing (WFQ) based upon class
and weighted fair
queuing (WFQ) based upon flow. Class
-
based WFQ aims for providing weighted fair queuing
functionality among traffic classes defined by the user. A user could create traffic classes using
mechanisms like Access Control Lists (ACLs) and t
hen assign a fraction of the output interface
bandwidth to each of these traffic classes. In flow
-
based WFQ, packets are classified by flow.
Each flow corresponds to a separate output queue. When a packet is assigned to a flow, it is
placed in the queue

for that flow. During periods of congestion, WFQ allocates a portion of the
available bandwidth to each active queue. The primary difference between flow
-
based WFQ and
class
-
based WFQ is the fact that in flow
-
based WFQ bandwidth allocation is relative t
o other
flows. But in class
-
based WFQ bandwidth allocation is absolute. Class
-
based WFQ allows the
user to assign bandwidth to a class based upon a percentage of the available bandwidth or a fixed
kbps value.

Routers handle traffic in a variety of manner
s, the two most prevalent are traffic shaping
and traffic policing. Traffic shaping queues and forwards data streams (as opposed to dropping
excess traffic) so as to conform to agreed upon Service Level Agreements (SLAs) which have
been established with t
he service provider. Traffic policing, actually drops excess traffic and
requires re
-
transmission of data.

Congestion avoidance is defined as the ability to recognize and act upon congestion on
the output direction of an interface so as to reduce or minim
ize the effects of that congestion.
Congestion produces adverse affects in a VPN and should be avoided.

It should be noted that a company’s QoS requirements are important but should be considered
separate from the VPN solution, after all, the VPN will b
lindly encrypt or decrypt packets
regardless of their QoS requirements. In order to preserve their QoS requirements, a company
should consider a trusted network VPN.

Virtual Private Networks (VPN)



Page
25

of
31

APPENDIX XV: TCP/UDP

(Information From Source In Works Cited #6)


TCP/UDP


Transmission
Control Protocol/Internet Protocol (TCP/IP) is an industry standard suite of
protocols providing communications in a heterogeneous environment. In addition, TCP/IP
provides a routable, enterprise networking protocol and access to the worldwide Internet an
d its
resources.

It has become the standard protocol used for interoperability among many different types
of computers. This interoperability is one of the primary advantages of TCP/IP. Almost all
networks support TCP/IP as a protocol. TCP/IP also suppo
rts routing, and is commonly used as
an internetworking protocol.

Because of its popularity, TCP/IP has become the de facto standard for internetworking.
Other protocols written specifically for the TCP/IP suite include:



SMTP (simple mail transfer protoco
l)


E
-
mail



FTP (File Transfer Protocol)


For exchanging files among computers running TCP/IP



SNMP (simple network management protocol)


Network management


Historically, there were two primary disadvantages of TCP/IP: its size and speed.
TCP/IP is a re
latively large protocol stack which can cause problems in MS
-
DOS
-
based clients.
However, on graphical user interface (GUI)
-
based operating systems, such as Windows NT or
Windows 95, the size is not an issue and speed is about the same as IPX.

User Datagra
m Protocol (UDP) is a connectionless protocol that, like TCP, runs on top of
IP networks. Unlike TCP/IP, UDP/IP provides very few error recovery services, offering instead
a direct way to send and receive datagrams over an IP network. It’s used primarily

for
broadcasting messages over a network.



Virtual Private Networks (VPN)



Page
26

of
31

APPENDIX XVI: The OSI Model

(Information From Source In Works Cited #23)


T
HE
OSI

M
ODEL


In 1978, the International Standards Organization (ISO) released a set of specifications
that described a network archite
cture for connecting dissimilar devices. The original document
applied to systems that were open to each other because they could all use the same protocols
and standards to exchange information.


Note

Every networking professional needs to be aware of
the major standards organizations and
how their work affects network communications. A review of the ten organizations that define
standards for a different area of network activity is as follows:


American National Standards Institute (ANSI)

Common Open
Software Environment (COSE)

Comité Consultatif Internationale de Télégraphie de Téléphonie (CCITT)

Corporation For Open Systems (COS)

Electronics Industries Association (EIA)

Institute Of Electrical And Electronics Engineers, Inc. (IEEE)

International Stan
dards Organization (ISO)

Object Management Group (OMG)

Open Software Foundation (OSF)

SQL Access Group (SAG)



In 1984, the ISO released a revision of this model and called it the Open Systems
Interconnection (OSI) reference model. The 1984 revision has

become an international standard
and serves as a guide for networking.


This model is the best
-
known and most widely used guide to describe networking
environments. Vendors design network products based on the specifications of the OSI model.
It provide
s a description of how network hardware and software work together in a layered
fashion to make communications possible. It also helps with troubleshooting by providing a
frame of reference that describes how components are supposed to function.


A

L
AYERE
D
A
RCHITECTURE


The OSI model is an architecture that divides network communication into seven layers.
Each layer covers different network activities, equipment or protocols.

7.

Application Layer

6.

Presentation Layer

5.

Session Layer

4.

Transport Layer

3.

Network Layer

2.

Data Link Layer

1.

Physical Layer


The above figure represents the layered architecture of the OSI model. Layering
specifies different functions and services at different levels. Each OSI layer has well
-
defined
Virtual Private Networks (VPN)



Page
27

of
31

networking functions,
and the functions of each layer communicate and work with the functions
of the layers immediately above and below it. For example, the Session layer must communicate
and work with the Presentation and Transport layers.


The lowest layers


1 and 2


defin
e the network’s physical media and related tasks, such
as putting data bits onto the network adapter cards and cable. The highest layers define how
applications access communication services. The higher the layer, the more complex its task.


Each layer p
rovides some service or action that prepares the data for delivery over the
network to another computer. The layers are separated from each other by boundaries called
interfaces. All requests are passed from one layer, through the interface, to the next
layer. Each
layer builds upon the standards and activities of the layer below it.


R
ELATIONSHIP
O
F
OSI

M
ODEL
L
AYERS


The purpose of each layer is to provide services to the next higher layer and shield the
upper layer from the details of how the services
are actually implemented. The layers are set up
in such a way that each layer acts as if it is communicating with its associated layer on the other
computer. This is a logical or virtual communication between peer layers. In reality, actual
communicatio
n takes place between adjacent layers on one computer. At each layer there is
software that implements certain network functions according to a set of protocols.


Before data is passed from one layer to another it is broken down into packets. A packet
is

a unit of information transmitted as a whole from one device to another on a network. The
network passes a packet from one software layer to another in the order of the layers. At each
layer the software adds some additional formatting or addressing to
the packet, which it needs to
be successfully transmitted across the network.


At the receiving end, the packet passes through the layers in the reverse order. A
software utility at each layer reads the information on the packet, strips it away, and passe
s the
packet up to the next layer. When the packet finally gets passed up to the Application layer, the
addressing information has been stripped away and the packet is in its original form, which is
readable by the receiver.


Except for the lowest layer i
n the networking model, no layer can pass information
directly to its counterpart on another computer. Information on the sending computer must be
passed through all of the lower layers. The information then moves across the networking cable
to the recei
ving computer and up that computer’s networking layers until arriving at the same
level that the sent information on the computer that sent the information. For example, if the
Network layer sent information from computer A, it moves down through the Data

Link and the
Physical layers on the sending side, over the cable, and up the Physical and Data Link layers on
the receiving side to its destination at the Network layer on computer B.


In a client/server environment, an example of the kind of information
sent from the
Network layer on computer A to the Network layer on computer B would be a network address
and perhaps some error checking information added to the packet.


Interaction between adjacent layers occurs through an interface. The interface define
s
which services the lower networking layer offers to the upper one and how those services will be
accessed. In addition, each layer on one computer acts as though it is communicating directly
with the same layer on another computer.


The following sectio
ns describe the purpose of each of the seven layers of the OSI model
and identify services that they provide to all adjacent layers.


Virtual Private Networks (VPN)



Page
28

of
31

Application Layer


Layer 7, the topmost layer of the OSI model, is the Application layer. It serves as the
window for app
lication processes to access network services. This layer represents the services
that directly support user applications, such as software for the file transfers, for database access,
and for e
-
mail. The lower levels support these tasks performed at the

application level. The
Application layer handles general network access, flow control, and error recovery.


Presentation Layer


Layer 6, the Presentation layer, determines the format used to exchange data among
networked computers. It can be called the
network’s translator. At the sending computer, this
layer translates data from a format sent down from the Application layer into a commonly
recognized, intermediary format. At the receiving computer, this layer translates the
intermediary format into a
format useful to that computer’s Application layer. The Presentation
layer is responsible for protocol conversion, translating the data, encrypting the data, changing or
converting the character set, and expanding graphics commands. The Presentation laye
r also
manages data compression to reduce the number of bits that need to be transmitted.


A utility known as the redirector operates at this layer. The purpose of the redirector is to
redirect input/output (I/O) operations to resources on a server.


Sess
ion Layer


Layer 5, the Session layer, allows two applications on different computers to establish,
and use, and end a connection called a session. This layer performs name recognition and the
functions, such as security, needed to allow two applications
to communicate over the network.


The Session layer provides synchronization between user tasks by placing checkpoints in
the data stream. This way, if the network fails, only the data after the last checkpoint has to be
retransmitted. This layer also im
plements dialog control between communicating processes,
regulating which side transmits, when, for how long, and so on.


Transport Layer


Layer 4, the Transport layer, provides an additional connection level beneath the Session
layer. The Transport layer

ensures that packets are delivered error free, in sequence, and with no
losses or duplications. This layer repackages messages, dividing long messages into several
packets and collecting small packets together in one package. This allows the packets to
be
transmitted efficiently over the network. At the receiving end, the Transport layer unpacks the
messages, reassembles the original messages, and typically sends an acknowledgment of receipt.


The Transport layer provides flow control, error handling, a
nd is involved in solving
problems concerned with the transmission and reception of packets.


Network Layer


Layer 3, the Network layer, is responsible for addressing messages and translating logical
addresses and names into physical addresses. This layer

also determines the route from the
source to the destination computer. It determines which path the data should take based on
network conditions, priority of service, and other factors. It also manages traffic problems on the
network, such as packet swi
tching, routing, and controlling the congestion of data.

Virtual Private Networks (VPN)



Page
29

of
31


If the network adapter on the router cannot transmit a data chunk as large as the source
computer sends, the Network layer on the router compensates by breaking the data into smaller
units. On the
destination end, the Network layer reassembles the data.


Data Link Layer


Layer 2, the Data Link layer, sends data frames from the Network layer to the Physical
layer. On the receiving end, it packages raw bits from the Physical layer into data frames.
A
data frame is an organized, logical structure in which data can be placed.


A simple data frame has several different aspects to be noted. The sender ID represents
the address of the computer that is sending the information; the destination ID represent
s the
address of the computer to which the information is being sent. The control information is used
for frame type, routing, and segmentation information. The data is the information itself. The
cyclical redundancy check (CRC) represents error correct
ion and verification information to
ensure that the data frame is received properly.


The data link layer is responsible for providing the error
-
free transfer of these frames
from one computer to another through the Physical layer. This allows the Network

layer to
assume virtually error
-
free transmission over the network connection.


Generally, when the Data Link layer sends a frame, it waits for an acknowledgment from
the recipient. The recipient Data Link layer detects any problems with the frame that m
ay have
occurred during transmission. Frames that were not acknowledged, or frames that were damaged
during transmission, are resent.


Physical Layer


Layer 1, the bottommost layer of the OSI model, is the Physical layer. This layer
transmits the unstruc
tured raw bit stream over a physical medium (such as the network cable).
The Physical layer relates the electrical, optical, mechanical, and functional interfaces to the
cable. The Physical layer also carries the signals that transmit data generated by a
ll of the higher
layers.


This layer defines how the cable is attached to the network adapter card. For example, it
defines how many pins the connector has and each pin’s function. It also defines which
transmission technique will be used to send data ov
er the network cable.


The Physical layer is responsible for transmitting bits (zeros and ones) from one
computer to another. The bits themselves have no defined meaning at this level. This layer
defines data encoding and bit synchronization, ensuring th
at when a transmitting host sends a 1
bit, it is received as a 1 bit, not a 0 bit. This layer also defines how long each bit lasts and how
each bit is translated into the appropriate electrical or optical impulse for the network cable.

Virtual Private Networks (VPN)



Page
30

of
31

W
ORKS
C
ITED


1.)
Adtran. “Understanding Virtual Private Networking”. Huntsville, AL 35814
-
4000. 2001.

http://www.adtran.com/all/public/



2.) Cisco Systems. “Access VPNs For The Enterprise”. San Jose, CA 95134. 2002.

http://www.cisco.com/warp/public/cc/so/neso/vpn/vpnsp/justify/avpnn_bc.htm



3.) Cisco Systems. “IPSec”. San Jose, CA 95134. 2000.

http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.htm



4.) Cisco Systems. “Quality Of Service For Virtual Private Networks”. San Jose, CA 95134.
2002.

http://www.cisco.com/warp/public/cc/so/neso/vpn/vpne/qsvpn_wp.htm



5.) Microsoft Corporation. “Point
-
To
-
Point Tunneling Protocol (PPTP) FAQ”. Redmond, WA
98052
-
6399. 2001.

http://www.microsoft.com/ntserver/productinfo/faqs/pptpfaq.asp?bPrint=True



6.) Microsoft Corporation. “Virtual Private Networking In Windows 2000: An Overview”.
Redmond, WA 98052
-
6399. 1999.

http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/vpn
overview.asp


7.) SecGo. “Public Key Infrastructure
(PKI): A SecGo Solutions White Paper”. United
Kingdom. 2001.

http://www.secgo.com/



8.) VPNet Technologies. “What’s A VPN Anyway?”. San Jose, CA 95125. 1998.

http://www.vpnet.
com



9.) VPN Consortium. “VPN Technologies: Definitions And Requirements”. Santa Cruz, CA
95060. 2002.

http://www.vpnc.org


10.) SearchNetworking.com “A Guide To Virtual Private Networking”. Mike Marney.

http://searchnetworking.techtarget.com/tip/1,289483,sid7_gci768367,00.html


11.) SearchNetworking.com “Internet Protocol”. 11/18/2002.

http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci214031,00.html


12.) SearchNetworking.com “IPX”. 11/18/2002.

http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci214038,00.html


13.) Microsoft.com “Extensible Authentication Protocol (EAP)”. 11/18/2002.

http
://www.microsoft.com/windows2000/en/server/help/auth_eap.htm

Virtual Private Networks (VPN)



Page
31

of
31

14.) RSA Security. “What Is The RSA Cryptosystem”. 11/18/2002.

http://www.rsasecurity.com/rsalabs/faq/3
-
1
-
1.html


15.)
Micros
oft.com “Microsoft Point
-
To
-
Point Encryption (MPPE)”. 11/18/2002.

http://www.microsoft.com/windows2000/en/server/help/mppe.htm


16.) Lay Networks. “DES Explanation”. 11/18/2002.

http://www.laynetworks.com/users/webs/des.htm


17.) The Skipjack Encryption Algorithm Review. Various Authors. 11/18/2002.

http://www.totse.com/en/privacy/encryption/skipjack.html
.


18.) Webopedia.com. “Frame”. 11/18/2002.

http://www.webopedia.com/TERM/f/frame.html


19.) Webopedia.com. “Packet”. 11/18/20
02.

http://www.webopedia.com/TERM/P/Packet.html


20.) Microsoft Service Providers. “What Is IPSec Tunneling?” Jason Goodman. 11/18/2002.

http://www.microsoft.com/serviceproviders/columns/what_is_ipsec_tunneling_987.asp


21.) Alcatel Enterprise. “IPSec (IP Security).” An Alcatel Executive Briefing. 1/1/2002.


22.) John Savard. “IDEA (Internat
ional Data Encryption Algorithm)”. 11/18/2002.

http://home.ecn.ab.ca/~jsavard/crypto/co0404.htm


23.) Microsoft Networking Essentials. “Hands On, Self
-
Paced Training for Supporting Local
and Wide Area Networks.” 1998.