ELECTRONIC

BUSINESS

Virtual Private Network

VPN stands for "Virtual Private Network" or "Virtual Private

Networking."
A VPN is a private network in the sense that it carries controlled
information, protected by various security mechanisms, between
known parties.
VPNs are only "virtually" private, however, because this data actually
travels over shared public networks instead of fully dedicated
private connections.
Virtual Private Network is a type of private network that uses public
telecommunication, such as the Internet, instead of leased lines to
communicate.
An encrypted or encapsulated communication process that transfers
data from one point to another point securely; the security of that
data is assured by robust encryption technology, and the data that
follows passes through an open, unsecured, routed network.
Abdusalam

Virtual Private Network

Became popular as more employees worked in remote locations.

Employees can access the network (Intranet) from remote locations.

Secured networks.

The Internet is used as the backbone for VPNs

Saves cost tremendously from reduction of equipment and

maintenance costs.

Abdusalam

Virtual Private Networks (VPN)

Basic Architecture

Abdusalam

How VPN Works?

Two connections one is made to the Internet and the second is made
to the VPN.
Datagrams contains data, destination and source information.
Firewalls VPNs allow authorized users to pass through the firewalls.
Protocols protocols create the VPN tunnels.
VPN technology also allows a corporation to connect to branch offices
or to other companies over a public internetwork (such as the
Internet), while maintaining secure communications.
The VPN connection across the Internet logically operates as a wide
area network (WAN) link between the sites.

Abdusalam

How VPN Works?

3 types
Intranet Within an organization
Extranet Outside an organization
Remote Access Employee to Business

Abdusalam

Virtual Private Networks (VPN)

Basic Architecture

Abdusalam

Virtual Private Networks (VPN)

Basic Architecture

Abdusalam

Virtual Private Networks (VPN)

Basic Architecture

Abdusalam

Virtual Private Networks (VPN)

Basic Architecture

Abdusalam

10

Remote-Access VPN

There are two common types of VPN.

Remote-access, also called a Virtual Private Dial-up Network
(VPDN), is a user-to-LAN connection used by a company that has
employees who need to connect to the private network from various
remote locations.
Typically, a corporation that wishes to set up a large remote-access
VPN will outsource to an Enterprise Service Provider (ESP).
The ESP sets up a Network Access Server (NAS) and provides the
remote users with desktop client software for their computers.
The telecommuters can then dial a toll-free number to reach the NAS
and use their VPN client software to access the corporate network.

Abdusalam

11

Remote-Access VPN:

Abdusalam

12

Site-to-Site VPN

Through the use of dedicated equipment and large-scale encryption, a

company can connect multiple fixed sites over a public network such as
the Internet.
Site-to-site VPNs can be one of two types:

Intranet-based: If a company has one or more remote locations that

they wish to join in a single private network, they can create an
intranet VPN to connect to LAN.

Extranet-based: When a company has a close relationship with

another company (for example, a partner, supplier or customer), they
can build an extranet VPN that connects LAN to LAN, and that allows
all of the various companies to work in a shared environment.

Abdusalam

13

Site-to-Site VPN

Abdusalam

14

Site to Site vs Remote Access VPN

Site-to-site VPNs connect entire networks to each other -- for

example, connecting a branch office network to a company
headquarters network.
In a site-to-site VPN, hosts do not have VPN client software; they
send and receive normal TCP/IP traffic through a VPN gateway.
The VPN gateway is responsible for encapsulating and encrypting
outbound traffic, sending it through a VPN tunnel over the Internet,
to a peer VPN gateway at the target site.
Upon receipt, the peer VPN gateway strips the headers, decrypts the
content, and relays the packet towards the target host inside its
private network.
Remote access VPNs connect individual hosts to private networks -for example, travelers and teleworkers who need to access their
company's network securely over the Internet.
In a remote access VPN, every host must have VPN client software
(more on this in a minute).
Abdusalam

15

Site to Site vs Remote Access VPN

Whenever the host tries to send any traffic, the VPN client software
encapsulates and encrypts that traffic before sending it over the
Internet to the VPN gateway at the edge of the target network.
Upon receipt, that VPN gateway behaves as described above for siteto-site VPNs.
If the target host inside the private network returns a response, the
VPN gateway performs the reverse process to send an encrypted
response back to the VPN client over the Internet.
The most common secure tunneling protocol used in site-to-site VPNs
is the IPsec Encapsulating Security Payload (ESP), an extension to the
standard IP protocol used by the Internet and most corporate
networks today.

Abdusalam

16

Tunneling

Tunneling is a way in which data is transferred between two networks

securely.
All the data that is being transferred are fragmented into smaller
packets or frames and then passed through the tunnel.
This process is different from a normal data transfer between nodes.
Every frame passing through the tunnel will be encrypted with an
additional layer of tunneling encryption and encapsulation which is also
used for routing the packets to the right direction.
This encapsulation would then be reverted at the destination with
decryption of data which is later sent to the desired destined node.
A tunnel is a logical path between the source and the destination
endpoints between two networks. Every packet is encapsulated at the
source will be de-capsulated at the destination. This process will keep
happening as long as the logical tunnel is persistent between the two
endpoints
Abdusalam

17

Four Critical Functions

Authentication validates that the data was sent from the sender.

Access control limiting unauthorized users from accessing the

network.

Confidentiality preventing the data to be read or copied as the data

is being transported.

Data Integrity ensuring that the data has not been altered

Abdusalam

18

Four Protocols used in VPN

PPTP -- Point-to-Point Tunneling Protocol

L2TP -- Layer 2 Tunneling Protocol

IPsec -- Internet Protocol Security

SOCKS is not used as much as the ones above

Abdusalam

19

VPN Encapsulation of Packets

Abdusalam

20

Advantages: Cost Savings

The main benefit of a VPN is the potential for significant cost

savings compared to traditional leased lines or dial up networking.
These savings come with a certain amount of risk, however,
particularly when using the public Internet as the delivery
mechanism for VPN data.
Eliminating the need for expensive long-distance leased lines
Reducing the long-distance telephone charges for remote access.
Transferring the support burden to the service providers
Operational costs
Allows you to be at home and access your company's computers in
the same way as if you were sitting at work.
Almost impossible for someone to tap or interfere with data in the
VPN tunnel.
If you have VPN client software on a laptop, you can connect to
your company from anywhere in the world
Cisco VPN Savings Calculator
Abdusalam

21

Applications: Site-to-Site VPNs

Large-scale encryption between multiple fixed sites such as
remote offices and central offices
Network traffic is sent over the branch office Internet
connection
This saves the company hardware and management expenses

Abdusalam

22

Applications: Site-to-Site VPNs

Abdusalam

23

VPN Requirements

A VPN is a modified version of a private network that allows one

to Leverage the traditional LAN or intranet setup along with the
Internet and other public networks to communicate securely and
economically.
As a result, most VPN requirements and the requirements of a
traditional private network are essentially the same.
The most important consideration to keep in mind while
implementing
VPN-based networking solutions are:
User Permission: Enable a user to access the VPN. To do this, go
to AD Users and Computers, select the user who need to access
the VPN, click Dial-in. Check Allow access on the Remote Access
Permission (Dial-in or VPN).
Abdusalam

24

VPN Requirements

IP Configuration: The VPN server should have a static IP address

and assign the arrange IP addresses to VPN clients.
The VPN server must also be configured with DNS and WINS
server addresses to assign to the VPN client during the
connection.
Data Encryption: Data carried on the public network should be
rendered unreadable to unauthorized clients on the network.
Protocol Support: The TCP/IP is common protocols used in the
public network. The VPN also include IP, Internetwork Packet
Exchange (IPX), NetBEUI and so on.
Firewall Ports: When you place a VPN server behind your firewall,
be sure to enable IP protocol 47 (GRE) and TCP port 1723.

Abdusalam

25

VPN Requirements

Interface(s) for VPN server: If your network doesn't have a router

or the VPN is also a gateway, your computer must have at least two
interfaces, one connecting to the Internet and another connecting to
the LAN. If it is behind a router, you just need one NIC.
One interface for VPN client: The interface can be a dial-in modem,
or a dedicated connection to the Internet.
Interoperability of devices from multiple vendors: If there is the
slightest lack of interoperability between devices used to implement
the VPN, guaranteed Quality of service (QoS) is difficult to achieve.
Therefore, devices must be thoroughly tested for interoperability
before implementing them in the VPN. Experts recommend that as
far as possible, the devices used for the implementation of a VPN
should be from one vendor. This ensures complete devices
interoperability and guaranteed high performance.
Abdusalam

26

Building Blocks Of A VPN

These VPN building Blocks are listed below.

VPN hardware: This includes VPN servers, clients and other
hardware devices such as VPN routers, gateways and
concentrators.
VPN software: This includes server and client software and VPN
management tools.
Security infrastructure of the organization: This typically
includes RADIUS, TACACS, NAT, and AAA-based solutions.
Service providers supporting infrastructure: This includes the
service providers network access switching backbone and the
internet backbone.
Public networks: This includes the internet, Public Switched
Telephone network (PSTNs) and Plain Old Telephone Services
(POTS).
Tunnels: This might be PPTP-based, L2TP-based.

Abdusalam

27

Industries That May Use a VPN

Healthcare: enables the transferring of confidential patient

information within the medical facilities & health care provider

Manufacturing: allow suppliers to view inventory & allow clients to

purchase online safely

Retail: able to securely transfer sales data or customer info

between stores & the headquarters

Banking/Financial: enables account information to be transferred

safely within departments & branches

General Business: communication between remote employees can

be securely exchanged

Abdusalam

28