Introduction

COMPETITOR

In the 1960s' and 70s', when the use of computer was just a bit fancy to most of the
people, the so-called "Network" would only mean a connection between two computers using
telephone line communicating by command line.
As time and technologies advances, networks with several computers (called terminals or
workstations), servers and other resources (printers, scanners, etc.) in organizations were formed.
This kind of network (called LAN nowadays) is set up to share data and resources among
computers within the network . At this moment, most networks were physically separated from
each other, and no equipment was set up to connect external network.
As the technology grew the competitions also increased and the hackers and the
competitors who enabled the unauthorized access system raised the need of security in the
network.
The above figure depicts the need for security as the competitor is accessing the confidential data
of one organization.
Besides security, if an organization needs a private network from its headquarters to its
branches in another city or country it is too expensive and can exceed their budget. As the
requirement of leased line connection from headquarters to each branch is very high. So the high
cost is another problem.
This raised a need for such a network which is private, secure and cheaper. Such network
is called the Virtual Private Network.
It is called a virtual network as it is not a physical network, its build logically. Moreover,
it uses tunneling concept to transmit data from one end to the other, so it is private. This
connection is build through the public network, therefore its far cheaper than the leased line.

Functions of VPN

• Authentication – Validates that the data was sent from the authorized user.
• Access control - limiting unauthorized users from accessing the network.
• Confidentiality - preventing the data to be read or copied as the data is being transported.
• Data integrity - ensuring that the data has not been altered.

Virtual Tunnel:

VIRTUAL TUNNEL
A connection which allows two computers or networks to communicate with each other across
public network.

Encapsulation in VPN:

For data encapsulation in VPN, many tunneling technologies are developed, such as Layer 2
Tunneling Protocol (L2TP), Layer 2 Forward protocol (L 2F ) and Point to Point Tunneling
Protocol (PPTP). PPTP provides remote users encrypted, multi-protocol access to a corporate
network over the Internet. Network layer protocols, such as IPX and NetBEUI, are encapsulated
by the PPTP for transport over the Internet. However, PPTP can support only one tunnel at a
time for each user. Therefore, its proposed successor, L2TP (a hybrid of PPTP and another
protocol, L 2F ) can support multiple, simultaneous tunnels for each user. PPTP and L2TP are
the layer 2 VPN technologies from CPE (customer premise equipment) to CPE.

Internet Protocol Security (IPSec), the most widely deployed VPN technology, is a set of
authentication and encryption protocols developed by the Internet Engineering Task Force
(IETF), to address data confidentiality, integrity, authentication and key management in the IP
networks. The IPSec protocol typically works on the edges of a security domain, which
encapsulates a packet by wrapping another packet around it. It then encrypts the entire packet.
This encrypted stream of traffic forms a secure tunnel across an otherwise unsecured IP network.
IPsec is the primary layer 3 VPN technology providing a CPE to CPE tunnel.

VPN Components:

A VPN includes the following components:

 VPN client. A computer that initiates a VPN connection to a VPN server. A VPN client
can be an individual computer initiating a remote access VPN connection, or a calling
router initiating a site-to-site connection.

 VPN server. A computer, which may be an ISA Server computer, that listens for VPN
connection attempts, receives the connection attempt from the VPN client, and responds
to the request to create a connection. In a site-to-site VPN connection, the answering
router is the VPN server.

 VPN tunnel. The portion of the connection in which your data is encapsulated.

 VPN connection. The portion of the connection in which your data is encrypted. For
typical secure VPN connections, the data is encrypted and encapsulated along the same
portion of the connection.
  Tunneled data. Data that is usually sent across a private point-to-point link.

 Transit internetwork. The shared or public network crossed by the encapsulated data. For
the Microsoft® Windows Server™ 2003 operating systems, the transit internetwork is
always an IP internetwork. The transit internetwork can be the Internet or a private IP-
based intranet.

Tunneling:

Most VPNs rely on tunneling to create a private network that reaches across the internet.
Essentially, tunneling is the process of placing an entire packet within another packet and
sending over a network. The protocol of outer packet is understood by the network and both
points called tunnel interfaces, where the packet enters and exits the network. Tunneling requires
three different protocols:

1. Carrier protocol - The protocol used by the network that the information is traveling
over

2. Encapsulating protocol - The protocol (GRE, IPSec, L2F, PPTP, L2TP) that is wrapped
around the original data

3. Passenger protocol - The original data (IPX, NetBeui, IP) being carried.

How does VPN works:

2. To accept remote private network

As the need of security increased the need of VPN increased. If your computer is having a
Windows XP or a greater version you can configure your VPN network as it is an inbuilt
component of the windows.

There are four steps in which you can establish a VPN connection:

1> Connect to the internet: As the tunnel of VPN is passed through the public network we
will have to connect to internet.

2> To accept remote private network: In order to establish the virtual tunnel through the
public network we have accept the remote private network.
 3> Initiate Secure Connection to remote VPN gateway: In order to pass the data through
the tunnel using tunneling protocols to the remote VPN client we have to initiate secure
connection to remote VPN Gateway.

4> Authenticate Connection: To see whether the client to which we are connecting to is the
same client which we want to connect we have to authenticate the connection by some
security protocols.

Implementation:

Each network has some set of rules to be followed while the transmission of data which are
called as protocols. VPN has also some protocols to be followed:

• IPSec Tunnel Mode

• Point-to-Point Tunneling Protocol (PPTP)

• Layer 2 Tunneling Protocol (L2TP)

• Point-to-Point Protocol over Secure Sockets Layer (PPP/SSL) or Point-to-Point

Protocol over Secure Shell (PPP/SSL)

• considered to be hacks not standards

IPSec protocol:

IPSec Packet
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP)
communications by authenticating and encrypting each IP packet of a communication session.
IPsec also includes protocols for establishing mutual authentication between agents at the
beginning of the session and negotiation of cryptographic keys to be used during the session.

IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol
Suite. It can be used in protecting data flows between a pair of hosts (host-to-host), between a
pair of security gateways (network-to-network), or between a security gateway and a host
(network-to-host).

As shown in the above diagram the IPSec packet is similar as the conventional TCP packet. It
differs only in one aspect and i.e., the TCP header is embedded in the data field of the IPSec
packet which in turn increases the security of the transmission of the packet. The TCP header
and the data field are together known as ESP. Encapsulating Security Payload (ESP) to provide
confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form
of partial sequence integrity), and limited traffic flow confidentiality.

Tunnel mode

In tunnel mode, the entire IP packet is encrypted and/or authenticated. It is then encapsulated
into a new IP packet with a new IP header. Tunnel mode is used to create Virtual Private
Networks for network-to-network communications (e.g. between routers to link sites), host-to-
network communications (e.g. remote user access), and host-to-host communications (e.g.
private chat).

PPTP:

The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private
networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP
packets.

The PPTP specification does not describe encryption or authentication features and relies on the
PPP protocol being tunneled to implement security functionality. However the most common
PPTP implementation, shipping with the Microsoft Windows product families, implements
various levels of authentication and encryption natively as standard features of the Windows
PPTP stack. The intended use of this protocol is to provide similar levels of security and remote
access as typical VPN products.

Security of the PPTP protocol

PPTP has been the subject of many security analyses and serious security vulnerabilities have
been found in the protocol. The known vulnerabilities relate to the underlying PPP authentication
protocols used, the design of the MPPE protocol as well as the integration between MPPE and
PPP authentication for session key establishment. A summary of these vulnerabilities is below:
  MSCHAP-v1 is fundamentally insecure. Tools exist to trivially extract the NT Password
hashes from a captured MSCHAP-v1 exchange.
 MSCHAP-v2 is vulnerable to dictionary attack on the captured challenge response
packets. Tools exist to perform this process rapidly.
 When using MSCHAP-v1, MPPE uses the same RC4 session key for encryption in both
directions of the communication flow. This can be cryptanalysed with standard methods
by XORing the streams from each direction together.
 MPPE uses RC4 stream cipher for encryption. There is no method for authentication of
the ciphertext stream and therefore the ciphertext is vulnerable to a bit-flipping attack. An
attacker could modify the stream in transit and adjust single bits to change the output
stream without possibility of detection. These bit flips may be detected by the protocols
themselves through checksums or other means.

Types of VPN:

Remote-Access VPN

There are two common types of VPN. Remote-access, also called a virtual private dial-up
network (VPDN), is a user-to-LAN connection used by a company that has employees who
need to connect to the private network from various remote locations. Typically, a corporation
that wishes to set up a large remote-access VPN will outsource to an enterprise service
provider (ESP). The ESP sets up a network access server (NAS) and provides the remote users
with desktop client software for their computers. The telecommuters can then dial a toll-free
number to reach the NAS and use their VPN client software to access the corporate network.

A good example of a company that needs a remote-access VPN would be a large firm with
hundreds of sales people in the field. Remote-access VPNs permit secure, encrypted connections
between a company's private network and remote users through a third-party service provider.
A remote access client initiates a remote access VPN connection that connects to a private
network. ISA Server provides access to the entire network to which the VPN server is attached.
The packets sent from the remote client across the VPN connection originate at the remote
computer.

Site-to-Site VPN

A router, which may be an ISA Server computer, initiates a site-to-site VPN connection that
connects two portions of a private network using a VPN tunneling protocol such as PPTP or
L2TP over IPsec. In each site, the VPN router provides a routed connection to the network to
which the VPN router is attached. On a site-to-site VPN connection, the packets sent from either
router across the VPN connection typically do not originate at the routers.
Through the use of dedicated equipment and large-scale encryption, a company can connect
multiple fixed sites over a public network such as the Internet. Site-to-site VPNs can be one of
two types:

 Intranet-based - If a company has one or more remote locations that they wish to join in
a single private network, they can create an intranet VPN to connect LAN to LAN.
 Extranet-based - When a company has a close relationship with another company (for
example, a partner, supplier or customer), they can build an extranet VPN that connects
LAN to LAN, and that allows all of the various companies to work in a shared
environment.

VPNs in mobile environments

Mobile VPNs are used in a setting where an endpoint of the VPN is not fixed to a single IP
address, but instead roams across various networks such as data networks from cellular carriers
or between multiple Wi-Fi access points.[14] Mobile VPNs have been widely used in public
safety, where they give law enforcement officers access to mission-critical applications, such as
computer-assisted dispatch and criminal databases, as they travel between different subnets of a
mobile network. They are also used in field service management and by healthcare
organizations, among other industries.

Increasingly, mobile VPNs are being adopted by mobile professionals and white-collar workers
who need reliable connections. They allow users to roam seamlessly across networks and in and
out of wireless-coverage areas without losing application sessions or dropping the secure VPN
session. A conventional VPN cannot survive such events because the network tunnel is
disrupted, causing applications to disconnect, time out,[14] or fail, or even cause the computing
device itself to crash.
Instead of logically tying the endpoint of the network tunnel to the physical IP address, each
tunnel is bound to a permanently associated IP address at the device. The mobile VPN software
handles the necessary network authentication and maintains the network sessions in a manner
transparent to the application and the user. The Host Identity Protocol (HIP), under study by the
Internet Engineering Task Force, is designed to support mobility of hosts by separating the role
of IP addresses for host identification from their locator functionality in an IP network. With HIP
a mobile host maintains its logical connections established via the host identity identifier while
associating with different IP addresses when roaming between access networks.

VPN Security: Encryption

Encryption is the process of taking all the data that one computer is sending to another and
encoding it into a form that only the other computer will be able to decode. Most computer
encryption systems belong in one of two categories:

 Symmetric-key encryption
 Public-key encryption

Symmetric-key encryption:

Plain Text
In symmetric-key encryption, each computer has a secret key (code) that it can use to encrypt a
packet of information before it is sent over the network to another computer. Symmetric-key
requires that you know which computers will be talking to each other so you can install the key
on each one. Symmetric-key encryption is essentially the same as a secret code that each of the
two computers must know in order to decode the information. The code provides the key to
decoding the message. Think of it like this: You create a coded message to send to a friend in
which each letter is substituted with the letter that is two down from it in the alphabet. So "A"
becomes "C," and "B" becomes "D". You have already told a trusted friend that the code is "Shift
by 2". Your friend gets the message and decodes it. Anyone else who sees the message will see
only nonsense.

The sending computer encrypts the document with a symmetric key, then encrypts the symmetric
key with the public key of the receiving computer. The receiving computer uses its private key to
decode the symmetric key. It then uses the symmetric key to decode the document.
Public-key encryption:

Plain Text
Public-key encryption uses a combination of a private key and a public key. The private key is
known only to your computer, while the public key is given by your computer to any computer
that wants to communicate securely with it. To decode an encrypted message, a computer must
use the public key, provided by the originating computer, and its own private key. A very
popular public-key encryption utility is called Pretty Good Privacy (PGP), which allows you to
encrypt almost anything. You can find out more about PGP at the PGP site.

Vigenère cipher:

The Vigenère cipher is a method of encrypting alphabetic text by using a series of different
Caesar ciphers based on the letters of a keyword. It is a simple form of polyalphabetic
substitution.

Message :

ZVPWWZ U R XEZ IFM

Configuring VPN

The users using Operating systems which are windows XP or higher versions, VPN comes as an
in-built component in OS.

To configure VPN following steps should be followed:

Click on Start -> Control Panel -> Network Connections

Click on Create a new Connection -> Connect to network at my place.

A new connection wizard will open up, select the virtual private network connection. It will ask
for an IP address to which u want to connect. Enter the IP address, then it will ask you for the
password for authentication. Enter the password and press the connect button. The tunnel will be
established between your computer and the remote client to which you want to connect to. Now
sending data is more secure than through normal public networks.

Advantages

• Extend geographic connectivity:

It binds two computers or two networks through the public network.

• Improve security:

As the protocols are implemented in the VPN security is improved and data is
sent safely through the tunnel.

• Reduce operational costs versus traditional WAN:

 As there is no requirements for any dial-up connections or any leased lines for
connecting the operational cost is low.

• Reduce transit time and transportation costs for remote users:

As the data is sent through the tunnel through the public network both the transit
time and the transportation cost is reduced.

• Improve productivity:

Connecting two networks or organization by giving them private and confidential

means to transmit data improves productivity.

• Simplify network topology

• Provide broadband networking compatibility:

As virtual private network can send data to many computers at one time
broadband network is compatible.

Disadvantages

Lack of Security

VPN message traffic is carried on public networking infrastructure e.g. the Internet, or
over a service provider's network, which mean - circulating corporate data —one of
your most valuable assets—on the line (literally). Even though there are many methods
and technologies available to ensure data protection (like encryption implementation) ,
the level of concern about Internet security is quite high and data on transmission is
vulnerable to hackers. The use of VPNs at this moment still require an in-depth
understanding of public network security issues.
 Less Bandwidth than Dedicated Line

The other major downside of VPNs relates to guaranteeing adequate bandwidth for the
work being done. Every use of internet system consume bandwidth; the more users there
are, the less bandwidth there is for any single user. Some VPN service providers offer
guaranteed bandwidth, and private networks can be built with guaranteed bandwidth
allocations, however, these options will increase the cost of the system.

The needs to accomodate protocols other than IP and existing ("legacy") internal
network technology.

IP applications were designed for low-latency, high-reliability networks. An increasing

number of real-time, interactive applications are being used on the network. Although
some applications can be tuned to allow for increased latency, many of the applications
tested cannot be easily adjusted or cannot be adjusted at all, making the use of the
application problematic.

others pitfall to consider;

 VPN technologies from different vendors may not work well together due to
different standard compliant or immature standards.
 VPNs is more prone to Internet connectivity problems.
 The availability and performance of an organization's wide-area VPN (over the
Internet in particular) depends on factors largely outside of their control.

Future of VPN

The future of VPN depends mainly on performance for real time services. VPN in financial
sector for business like ERP, CRM and VPN in the banking sector need to provide security for
all users. IP VPN and the booming network industry have contributed to two categories. One is
'Managed VPN's' where a company gives you Customer Premise Equipment (CPE) gives
network connectivity and 24X7 manages the VPN. In other words these companies operate your
IP VPN for you. The second category is turnkey products which is either a rent or purchase of
equipment from providers of networks. You will have to build your own VPN. They will provide
backbone network connectivity and local access facilities.
 With an annual projected growth of 20% forecasted for the next 5 years, VPN may be next
generation WAN.