VIRTUAL PRIVATE NETWORK (VPN)

1
 What is a VPN?
Definition
Virtual Private Network is a type of private network that
uses public telecommunications, such as the Internet,
instead of leased lines to communicate ,by creating a
dedicated link of communication.

• It became popular as more employees worked in remote

locations.
• It is virtual because it exists as a virtual entity within a
public network
• It is private because it is confined to a set of private
users.

2
 Brief Overview of How it Works
• Two connections – one is made to the Internet and
the second is made to the VPN.
• Datagram – contains data, destination and source
information.
• Firewalls – VPNs allow authorized users to pass
through the firewalls.
• Protocols – protocols create the VPN tunnels e.g.

• NB: The alternative of a VPN is dedicated

leased lines.

3
Typical VPN Connection

4
 VPN Major Characteristics
• Must emulate a point-to-point link
*Achieved by encapsulating the data that
would allow it to travel across the Internet to
reach the end point
• Must emulate a private link
*Achieved by encrypting the data in the data
packets

5
 Four Security Functions

a) Confidentiality – preventing the data to be read

or copied as the data is being transported
b) Data Integrity – ensuring that the data has not
been altered
c) Authentication – validates that the data was sent
from the sender.
c) Access control – limiting unauthorized users
from accessing the network by use of VPN server.

6
 Basic VPN Requirements
a) User Authentication
• VPN must be able to verify user authentication
and allow only authorized users to access the
network.
b) Address Management
• Assign addresses to clients and ensures that
private addresses are kept private on the VPN
c) Data Encryption
• Encryption -- is a method of “scrambling” data
before transmitting it onto the Internet.
• Public Key Encryption Technique is used
• Digital signature – for authentication
7
 Basic VPN Requirements contd …
d) Key Management
• Keys must be generated and refreshed for
encryption at the VPN server and the client
• Note that keys are required for encryption

e) Multi-protocol Support
• The VPN technology must support common
protocols on the Internet such as IP, IPX etc

8
 Industries that typically use VPNs
VPN generally provides users with connection to the corporate network
regardless of their location

Healthcare: enables the transferring of confidential patient

information within the medical facilities & health care provider
Manufacturing: allows suppliers to view inventory & allow clients
to purchase online safely
Retail: ability to securely transfer sales data or customer
information between stores & the headquarters
Banking / Financial: enables account information to be transferred
safely within departments & branches
General Business: communication between remote employees
can be securely exchanged
9
 Implementation of VPNs
•VPNs can be implemented in hardware OR
software OR both
•One can use a router with VPN capability OR
software-based VPN
•Windows XP, 7, Vista etc have a VPN capability
•Also open source for VPNs are available
•Firewalls are important to complement the
overall security
•An alternative is outsourcing your VPN
requirements to your Internet Service Provider
 3 Types of VPNs

a) Remote-Access VPN

bi) Site-to-Site VPN (Intranet-based)

ii) Site-to-Site VPN (Extranet-based)

11
 a) Remote-Access VPN
• Remote-access, also called a Virtual Private Dial-up
Network (VPDN), is a user-to-LAN connection used by
a company that has employees who need to connect to
the private network from various remote locations.

• A good example of a company that needs a remote-

access VPN would be a large firm with hundreds of
sales people in the field.
• E.g. Econet booth agents connect to the corporate
network via VPN to update visa card information

• Remote-access VPNs permit secure, encrypted

connections between a company's private network and
remote users through a third-party service provider.
12
Remote Access VPN

13
 b) Site-to-Site VPN
i) Intranet-based - If a company has one or more
remote locations that they wish to join in a single
private network, they can create an intranet VPN to
connect LAN to LAN. E.g. CABS 4th Street Branch and
CABS 1st Street Branch in Harare.
ii) Extranet-based - When a company has a close
relationship with another company (for example, a
partner, supplier or customer), they can build an
extranet VPN that connects LAN to LAN, and that
allows the various companies to work in a shared
environment. E.g. Volsec and SAZ( Security
Association Zimbabwe) connect via VPN to share
security personnel background information.

14
Site-to-Site VPN

15
 Tunneling
• Tunneling is the process of placing an entire
packet within another packet and sending it over
a network.
• Tunneling involves the encapsulation,
transmission and de-capsulation of data packets
• The data is encapsulated with additional headers
• The additional headers provide routing
information for encapsulated data to be routed
between the end points of a tunnel

16
Tunneling

17
 Types of tunneling
a)Point-to-Point Tunneling Protocol (PPTP)
• Encapsulate and encrypt the data to be sent over a corporate or
public IP network
b) Level 2 Tunneling Protocol (L2TP)
• Encrypted and encapsulated to be sent over a communication link
that supports user datagram mode of transmission
• Examples of links include X.25, Frame Relay and ATM
c) IPSec Tunnel Mode
• Encapsulate and encrypt in an IP header for transmission over an IP
network
d) Layer 3 Tunneling Protocol
• IPSec Tunneling Mode
• Encapsulates the payload in an additional IP header

18
 Windows Implementation of VPN

• L2TP for tunneling

• IPSec for encryption
• Known as L2TP/IPSec

19
VPN Service Providers in Zim
 VPN Protocols
• There are three main protocols that power the
majority of VPNs:
• PPTP
• L2TP
• IPsec
• All three protocols emphasize:
i. encryption and authentication
ii. preserving data integrity that may be
sensitive; and
iii. allowing clients/servers to establish an
identity on the network

21
 VPN Protocols (contd…)
a) Point-to-point tunneling protocol (PPTP)
• PPTP is widely supported by Microsoft as it is built into the
various flavours of the Windows OS
• The PPTP protocol specification does not describe
encryption and authentication, it simply tunnels the traffic.
• PPTP has weak security features

b) Layer Two tunneling protocol (L2TP)

• L2TP exists at the Datalink layer (Layer 2) of the OSI model.
Layer two VPN protocols encapsulate data in PPP frames
and are capable of transmitting non-IP protocols over an IP
network.
• Allows multiple connections through one tunnel.

22
 VPN Protocols (contd…)
c) Internet Protocol Security protocol (IPSec)
• It provides enhanced security features such as better
encryption algorithms and more comprehensive
authentication.
• IPSec has two encryption modes: tunnel and transport.
Tunnel encrypts the header and the payload of each
packet while transport only encrypts the payload.
• Only systems that are IPSec compliant can take
advantage of this protocol.
• IPSec can encrypt data between various devices, such as:
• Router to router
• Firewall to router
• PC to router
• PC to server
23
 VPN Tunneling

• VPN Tunneling supports two types: voluntary tunneling and

compulsory tunneling
• Voluntary tunneling is where the VPN client manages the
connection setup.
• Compulsory tunneling is where the carrier network provider
manages the VPN connection setup.
24
 Tunneling
• Tunneling is the process of placing an entire packet
within another packet and sending it over a network.
Tunneling requires three different protocols:
• Passenger protocol - The original data (IPX, IP) being
carried
• Encapsulating protocol - The protocol (GRE, IPSec, L2F,
PPTP, L2TP) that is wrapped around the original data
• Carrier protocol - The protocol used by the network that
the information is traveling over

25
 VPN Packet Transmission

• Packets are first encrypted before sent out for

transmission over the Internet.
• The encrypted packet is placed inside an
unencrypted packet.
• The unencrypted outer packet is read by the
routing equipment so that it may be properly
routed to its destination
• Once the packet reaches its destination, the outer
packet is stripped off and the inner packet is
decrypted
26
 VPN Security: Firewalls
• A well-designed VPN uses several methods for
keeping the connection and data secure using:
Firewalls
Encryption
IPSec
• You can set firewalls to restrict the number of
open ports, what type of packets are passed
through and which protocols are allowed
through.
27
 Advantages of VPNs
a) Cost Savings
Eliminating the need for expensive long-distance leased
lines
• Reducing the long-distance telephone charges for
remote access.
• Transferring the support burden to the service providers
• Reduced operational costs

b) Scalability
• Flexibility of growth
• Efficiency with broadband technology

28
Private network Vs VPN Charges

29
 Disadvantages
• VPNs require an in-depth understanding of public
network security issues and proper deployment of
precautions

• Availability and performance depends on the internet,

a factor largely outside an organisation`s control

• Immature standards

• VPNs need to accommodate protocols other than IP

and existing internal network technology

30
 VPN Challenges
• Connecting to a VPN takes several steps, and the user
needs to wait for authentication.
• For organizations that check the status of a computer
before allowing the connection, establishing a VPN
connection can take several minutes.
• Solution-Users should make sure that their computers
are up-to-date with the latest security protocols before
attempting to initiate sessions to save on time.
• Internet performance is slowed if both intranet and
Internet traffic go through the VPN connection.
• Solution-Split tunneling should be considered as an
option. Restrict communication via VPN to only when
necessary, otherwise connect directly to the internet.
31
 VPN Best Practices
a) Use a firewall
b) Secure the base operating system
c) Use a single ISP
• Minimize routing hops and insure cooperation
d) Use packet filtering to reject unknown hosts
e) Use public-key encryption and secure authentication
f) Compress before you encrypt
• Stream compression will help overall performance
g) Secure remote hosts

32
 Summary
• A virtual private network (VPN) is a network that uses
public means of transmission (Internet) as its WAN
link, connecting clients who are geographically
separated through secure tunneling methods
• Main VPN protocols include PPTP, L2TP, and IPsec
• VPN Tunneling supports two types: voluntary
tunneling and compulsory tunneling
• Cost and Scalability are the main advantages of a VPN
• Network security and Internet stability are the main
concerns for VPN’s

33