APLIKASI JARINGAN 2 Building a Virtual Private NetworksDefiana Arnaldy, M.Si 081802964763 deff_arnaldy@yahoo.com

Chapter 1. Introduction to VPNsy Overview y Understanding VPNs y Types of VPNs y Summary

Overviewy In the last decade, the world has witnessed an explosive growth of the

Internet. the Internet continues to invade every aspect of the modern life, reshaping business priorities, consumer requirements, and general commercial attitudes. y Initially, organizations all over the world were using the Internet to promote their products and services by providing access to their corporate Web sites. many organizations have realized that instead of bearing the cost of Internet connectivity, they can effectively reduce the cost of implementation by outsourcing their Internet connectivity services to another organization that specializes in the field. As a result, they can also increase their profit margin considerably. y This growing demand for highly secure and cost-effective data transactions over a relatively "insecure" public media, such as the Internet, has given rise to the Virtual Private Networks (VPNs) of today. y In this chapter, you will learn the basics of VPN technology.

Understanding VPNsy The primary intent of VPNs is to deliver the security,

performance, and reliability of dedicated networks while ensuring that the overall setup justifies the cost of implementation. y So what exactly is a VPN? y According to Internet Engineering Task Force (IETF), a VPN is "An emulation of [a] privateWide Area Network (WAN) using shared or public IP facilities, such as the Internet or private IP backbones." y In simpler terms, a VPN is an extension of a private intranet across a public network (the Internet) that ensures secure and costeffective connectivity between the two communicating ends. The private intranet is extended with the help of private logical "tunnels." These tunnels enable the two ends to exchange data in a manner that resembles point-to-point communication. Figure 1-1 depicts a typical VPN setup.

Figure 1-1: The typical VPN setup

y Although the tunneling technology lies at the core of VPNs, elaborate security

measures and mechanisms are also used to ensure safe passage of sensitive data across an unsecured medium. y Encryption. Encryption is the process of changing data into a form that can be read only by the intended receiver.y public key, which anyone may use during encryption or decryption. y private key, is private to the entity (or person) to which it is issued. As a result, with

public-key encryption anyone may use the owner's public key to encrypt and send a message.y Pretty Good Privacy (PGP) y Data Encryption Standard (DES)

y Authentication. Authentication is the process of ensuring that data is

delivered to its intended recipient.

y In its simplest form, authentication requires at least a username and password to

gain access to the specified resource. y In its complex form, authentication can be based on secret-key encryption or on public-key encryption.y Authorization. Authorization is the process of granting or denying access to

the resources located in a network after the user has been successfully identified and authenticated.

Evolution of VPNsy VPNs are not a new technology. the concept of VPNs has been

around for the last 15 years and has undergone several generations to arrive in its latest form. y The first known VPNs were offered by AT&T in late eighties and were known as Software Defined Networks (SDNs). the data packet was routed to its destination across the shared public switched infrastructure. y The second generation of VPNs came into existence with the emergence of X.25 and Integrated Services Digital Network (ISDN) technologies in the early nineties. For some time it seemed as though the X.25 protocol over ISDN would be established as the native VPN protocol. y The third generation of VPNs was based on these Asynchronous Transfer Mode ATM and Frame Relay FR technologies.

y Virtual Circuit switching technology offers much higher data transfer

rates (160 Mbps and above),

y the encapsulation of IP traffic into Frame Relay packets and ATM cells is

considerably slower. y FR-based and ATM-based networks do not offer the packet-level endto-end authentication and encryption required for high-end applications, such as multimedia. y they have limited capability to route across congested networks, which is a common phenomenon in shared public networks.y Users (and organizations) wanted a solution that was easy to implement,

scale, and administer, globally accessible, and capable of providing a high level of end-to-end security. The current generation of VPNsthe IP VPNsmeets all these requirements by employing tunneling technology. y Tunneling is the technique of encapsulating a data packet in a tunneling protocol,y IP Security (IPSec), y Point-to-Point Tunneling Protocol (PPTP), or Layer 2 Tunneling Protocol (L2TP), y IP packet.

y Because the original data packet can be of any type, tunneling can

support multi-protocol traffic, including IP, ISDN, FR, and ATM.

VPN Tunneling Protocolsy IP Security (IPSec). Developed by IETF, IPSec is an open standard that

ensures transmission security and user authentication over public networks. IPSec operates at the Network layer of the seven-layer Open System Interconnect (OSI) model. y Point-to-Point Tunneling Protocol (PPTP). Developed by Microsoft, 3COM, and Ascend Communications, PPTP was proposed as an alternative to IPSec. PPTP operates at layer 2 (Data Link layer) of the OSI model and is used for secure transmission of Windows-based traffic. y Layer 2 Tunneling Protocol (L2TP). Developed by Cisco Systems, L2TP was also intended to replace IPSec as the de facto tunneling protocol. L2TP is a combination of Layer 2 Forwarding (L2F) and PPTP and is used to encapsulate Point-to-Point Protocol (PPP) frames to be sent over X.25, FR, and ATM networks. y L2F was an earlier proprietary protocol, it was later replaced by L2TP, which offered stronger encryption of data and also covered the Windows domain where L2F failed.

Advantages and Disadvantages of VPNsThese advantages follow: y Reduced cost of implementation. This is because VPNs eliminate the need for long-distance connections by replacing them with local connections to a carrier network, ISP, or ISP's Point of Presence (POP). y Reduced management and staffing costs.The reason behind the lowered cost of operation is explained by the fact that the organization does not need to employ as many trained and expensive networking personnel as it would if the VPN were managed by the organization itself. y Enhanced connectivity. Because the Internet is accessible globally, even the most far flung branch offices, users, and mobile users (such as salesmen) can easily connect to the corporate intranet. y Security of transactions. Because VPNs use the tunneling technology to transmit data across "unsecured" public networks, data transactions are secure to an extent. As a result, VPNs offer a considerably high degree of transaction security. y Effective use of bandwidth. The network bandwidth is used only when there is an active Internet connection. Therefore, there is considerably less chance of available network bandwidth waste. y Enhanced scalability. This makes VPN-based intranets highly scalable and adaptive to future growth, without putting too much strain on the organization's network budget.

Advantages and Disadvantages of VPNs (Cont)These disadvantages include the following: y High dependence on the Internet. The performance of a VPN-based network is highly dependent on the performance of the Internet. no one can guarantee the performance of the Internet. An overload of traffic and congestion can negatively affect the performance of the entire VPN-based network. y Lack of support to the legacy protocols. Present-day VPNs are entirely based on IP technology. However, many organizations continue to use mainframes and other such legacy devices and protocols in their everyday transactions. As a result, VPNs are largely incompatible with legacy devices and protocols. This problem can be solved, to an extent, with the help of tunneling mechanisms. But, packaging SNA and other non-IP traffic within IP packets can slow down the performance of the entire network.

VPN ConsiderationsThe most important considerations to keep in mind while implementing VPNbased networking solution are y Security. Proper measures should be taken to ensure that the data cannot be intercepted, eavesdropped, or damaged while in transit. Strong encryption mechanisms must be employed to encrypt data. y The chosen solution must be compatible with the existing network infrastructure and security solutions, such as firewalls, proxies, anti-virus software, and other such intrusion detection systems. y Interoperability of devices from multiple vendors. devices must be thoroughly tested for interoperability before implementing them in the VPN. y Centralized VPN management. It should be possible to configure, manage, and troubleshoot VPN-related problems from one location or application. y Easy implementation.The VPN solution must be easy to implement and configure

VPN Considerations (Cont)y Easy usability.The VPN software, especially the VPN client software, must be y y y y

y

simple and uncomplicated so that even end-users can implement it, if necessary. Scalability.The existing VPN must be capable of adapting to future demands and additions seamlessly and with minimal change to the existing infrastructure. Performance. Encryption, which is a very important aspect of VPNs, is a CPU-intensive operation. Bandwidth management.To ensure high performance, high availability, and guaranteed QoS, it is essential to manage the bandwidth efficiently. Choosing an ISP. The ISP you choose for your VPN must be reliable and must be capable of providing support to VPN users and network administrators anytime. Protecting the network from unsolicited data. Being directly connected to the Internet,VPNs can be clogged by unsolicited data preventing the network from performing properly. In extreme cases, this data can overwhelm the entire intranet leading to the disruption of connectivity and services. As a result,VPN tunnels should provide a mechanism to filter out non-VPN traffic.

Types of VPNsThe objective of VPN technology is to address three basic requirements. These include the following: y Anytime access by remote, mobile, and telecommuting employees of an organization to the corporate network resources. y Interconnectivity between remote branch offices. y Controlled access to necessary network resources to customers, suppliers, and other external entities that are important to corporate business. On the basis of the objectives specified above, present-day VPNs have evolved into the following three categories: y Remote Access VPNs y Intranet VPNs y Extranet VPNs

Remote Access VPNsy Remote Access VPNs provide anytime access by remote, mobile,

and telecommuting employees of an organization to the corporate network resources. Typically, these remote access requests are issued by users who are constantly on the move or by small and remote branches that lack a permanent connection to the corporate intranet. y As shown in Figure 1-2, the switched remote access setup before the popularization of VPNs included the following major components:y A Remote Access Server (RAS), which is located at the central site and

authenticates and authorizes remote access requests. y Dial-up connection to the central site, which can entail high charges in the case of long-distance requests. y Support personnel who are responsible for configuring, maintaining, and managing RAS and supporting remote users.

Figure 1-2: The non-VPN remote access setup.

y By implementing Remote

Access VPNs, remote users and branch offices only need to set up local dial-up connections to the ISP or the ISP's POP and connect to the corporate network across the Internet. The corresponding Remote Access VPN setup is depicted in Figure 1-3.

Figure 1-3: The Remote Access VPN setup

Advantages of Remote Access VPNThe major advantages of Remote Access VPNs over the traditional remote access approach are as follows: y The need for RAS and its associated modem pool is entirely eliminated. y The need for support personnel is eliminated because the remote connectivity is facilitated by the ISP. y The need for long-distance dial-up connections is eliminated; instead, long-distance connections are replaced by local dial-up connections. y The provision of inexpensive dial-up service for long-distance users. y Because the dial-up access is local, modems perform at higher data rates as compared to long-distance access. y VPNs provide better accessibility to the corporate site because they support a minimum level of access services despite the heavy increase in the number of simultaneous users accessing the network. As the number of connected users increases in a VPN setup, though services may be decreased, accessibility is not completely disrupted.

Disadvantages of Remote Access VPNA few inherent disadvantages are associated with them. These include the following: y Remote Access VPNs do not offer a guaranteed QoS. y The possibility of data loss is very high. In addition, packets can be delivered fragmented and out of order. y Because of elaborate encryption algorithms, the protocol overhead is increased considerably. This leads to latency in the authentication process. In addition, IP- and PPP-based data compression is extremely slow and poor. y Because of the underlying presence of the Internet, when transmitting high-end multimedia data across the Remote Access VPN tunnels, latency in transmission can be very high and throughput can be extremely low.

Intranet VPNsy Intranet VPNs are used to

interconnect remote branch offices of an organization to the corporate intranet. y In an intranet setup, without using the VPN technology each remote site must be connected to the corporate intranet (backbone router) using campus routers. This setup is shown in Figure 1-4.Figure 1-4: The intranet setup using WAN backbone

y The setup shown in Figure 1-4 is highly expensive because at

least two routers are required to connect a remote campus to the organization's intranet. y The implementation, maintenance, and management of intranet backbone can be an extremely expensive affair depending on the volume of network traffic that traverses it and the geographical extent of the entire intranet. y For example, the cost of a global intranet can be up to several thousand dollars per month! The bigger the reach of the intranet, the more expensive it can be.

y With the implementation

of VPN solutions, the expensive WAN backbone is replaced by low-cost Internet connectivity, which can decrease the total cost of implementation of the entire intranet. A typical VPN-based solution is depicted in Figure 1-5.Figure 1-5: The intranet setup based on VPN.

Advantages of the Intranet VPNThe major advantages offered by the VPN-based setup shown in Figure 1-5 include the following: y It is cost-effective due to the elimination of routers that are used to form the WAN backbone. y It considerably reduces the number of support personnel required across the globe, stationed at various remote sites. y Because the Internet acts as the connection medium, it is easier to accommodate new peer-to-peer links. y A cost-effective backup facility can be achieved using the VPN tunnels in association with fast switching technology, such as FR. y Because of the local nature of dial-up connectivity to the ISP, accessibility is faster and better. Also, the elimination of long-distance services further helps an organization reduce the cost of intranet operation.

Disadvantages of the Intranet VPNThe disadvantages associated with intranet VPN solutions are listed next: y Because the data is still tunneled through a shared public networkthe Internetattacks, such as denial-of-service, can still pose serious security threats. y The possibility of data packet loss while in transit is still very high. y In case of transmission of high-end data, such as multimedia, latency in transmission can be very high and throughput can be extremely low due to the underlying presence of the Internet. y Because of the underlying Internet connectivity, performance can be sporadic and QoS cannot be guaranteed.

Extranet VPNsy Unlike intranet and remote access-based VPN solutions,

Extranet VPNs are not entirely segregated from the "outer world." In fact, Extranet VPNs allow controlled access to necessary network resources to external business entities, such as partners, customers, and suppliers who play a major role in the organization's business. y The traditional approach of extranet connectivity is shown in Figure 1-6.

y As shown in Figure 1-6, the traditional

setup is extremely expensive, because every separate network in the intranet must be tailored according to the external network. y This typically results in complex implementation and management of various networks. Also, the need for qualified personnel to maintain and manage this extremely complex setup is very high. y In addition, this type of setup cannot be easily extended because doing so would upset the entire intranet and might affect the other connected external networks. As a result of all the problems that you might encounter when connecting an intranet to external networks, implementation of extranets can be a network designer and administrator's nightmare.

Figure 1-6: The traditional extranet setup.

y The implementation of

VPNs has made the task of setting up an extranet considerably easy and costeffective. The Extranet VPN setup is shown in Figure 1-7.

Figure 1-7: The Extranet VPN setup

Advantages of Extranet VPNThe major advantages of Extranet VPNs include the following: y Fractional cost compared to the traditional setup. y Easy implementation, maintenance, and ease of existing setup modification. y Because of the underlying presence of the Internet, you have a bigger choice of vendors when selecting and tailoring solutions according to the needs of an organization. y Because the Internet-connectivity part is maintained by the ISP, the need for support personnel is reduced considerably, thus bringing down the cost of operation of the entire setup.

Disadvantages of Extranet VPNA few disadvantages are associated with the Extranet VPN solution. These include the following: y Security threats, such as denial-of-service, still exist. y Increased risk of the penetration of the organization's intranet. y Due to the underlying presence of the Internet, in the case of high-end data, such as multimedia, latency in transmission can be very high and throughput can be extremely low. y Because of the underlying Internet connectivity, performance can be sporadic and QoS cannot be guaranteed. Despite the disadvantages posed by VPN-based solutions, the number of advantages offered by VPNs far outweigh their disadvantages.

Summaryy In this chapter, you were introduced to the current favorite

in industry circlesVPN technology. Besides the basics of the technology, you learned about the advantages and disadvantages of VPNs. y In addition to the whats and the whys of a VPN, you also learned about the types of VPNs, their common uses, and the role they have to play in advancing the existing network technology toward security and cost-effectiveness.