新西兰代写assignment|Overview of VPN

浏览: 日期:2020-06-10

Overview of VPN - Evolution of Private Networks

Before the emergence and popularity virtual private networks have gained as a secure and cheaper medium for sensitive information to be accessed and transmitted between two or more corporate network over a public network such as the internet, other network technologies have been innovated and used to connect within business sites and across to other sites that are miles away from each other.

In the sixties, sites were connected together to enable data transfer through the use of analog phone lines and 2,400-bps modems leased from AT&T, businesses had no other faster modems they could choose from because the telephone companies were controlled by the government. It was not until the early eighties that businesses were able to connect to sites at higher speed using 9,600-bps modems because other telephone companies emerged as a result of the changes in government control and policy on telephone. During this period, there were not much mobile workers besides the modem links were static not as dynamic as what is available now. The analog phone lines were permanently wired to the sites and were specially selected lines (called conditional lines) that were specifically built for full time use by companies; these lines are different from regular phone lines. This technology ensured full bandwidth and privacy but this came at a great cost, i.e. payment is expected for the full bandwidth even if the line was used or not.

Another innovation that was used for connecting sites which came out in the mid 1970s was the Digital Data Service (DDS). This was the first digital service with a connection of 56 Kbps and was used for private line. This service later became a major and useful innovation for wide area networks, which grew into other services that are popularly used today such as the T1 service which consists of 24 separate channels and each can carry up to 64 Kbps of either data or voice traffic. In the late 1970s the idea of VPN was initiated with the introduction of an innovation called the X.25. It is a Virtual Connection (VC) form of WAN packet switching which logically separates data streams. With this function, the service provider is able to send as many point-to-point VCs across a switch network infrastructure, depending each endpoints have a device that facilitates communication in the site.

Sometime in the early 1980s, X.25 service providers offered VPN services to customers (i.e. businesses) who used network protocols at the time as well as early adopters of TCP/IP.

Over years, in the 1990s other networking technologies were deployed for connecting private networks such as the high speed Frame relay and Asynchronous Transfer Mode (ATM) switching. This networking technologies were provided to give virtual connection to businesses at the speed of up to OC3 (155 Mbps). The components for setting up this kind of technologies involved the use of customer IP routers (customer premise equipment, or CPE) interconnected in a partial or full mesh of frame relay or ATM VCs to other CPE devices, in other words less equipments are needed for its set up. – Metz, C. (2003). Based on some definitions and some researchers like Mangan, T. (2001), the frame relay and ATM technology are referred the standard for VPN technology. These technologies gained so much popularity after the leased line in connecting sites and they were also easy to set up. With the increasing speed at which businesses grow and expand globally, thereby allowing staffs to be mobile and work offsite, the frame relay is not the best technology to use for remote access since it is just an overlay technology. In as much as the leased line is a better technology alternative for connecting business sites, it is excessively expensive to be owned. With the advent of the internet and its wide use in everyday transaction, businesses have adopted the technology for transmitting and accessing data across various sites by implementing a VPN connection, which is relatively cheap, flexible and scalable, between both sites in order to secure the data that are sent across the insecure internet from being tampered by unauthorized persons.

VPN definition

There are various definitions of a Virtual Private Network (VPN) which are given by various vendors which best describes their products. Several books, journals, whitepapers, conference papers and internet sites have various definitions of what the technology is, and these definitions are usually put in different words and sentence structure but mostly they say the same thing. In order to get a good understand of what the technology is all about, definitions given by several people from different sources will be looked at and a concise definition will be formulated from all definitions that will be used throughout this research work.

“A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network.” (2008).

“A VPN is a group of two or more computer systems, typically connected to a private network (a network built and maintained by an organization solely for its own use) with limited public-network access that communicates "securely" over a public network.” (Calsoft labs whitepaper, 2007)

Aoyagi, S. et al. (2005) A Virtual Private Network (VPN) enables a private connection to a LAN through a public network such as the Internet. With a VPN, data is sent between two nodes across a public network in a manner that emulates a dial-link. There are two types of VPN systems, one is used for connecting LANs across the Internet, and the other is used to connect a remote node to a LAN across the Internet.

“A VPN tunnel encapsulates data within IP packets to transport information that requires additional security or does not conform to internet addressing standards. The result is that remote users act as virtual nodes on the network into which they have tunnelled.” – Kaeo, M. (2004) p135.

“A VPN is a virtual network connection that uses the internet to establish a connection that is secure.” Holden, G. (2003), p 286.

“A VPN uses a public network, such as the internet, to facilitate communication; however it adds a layer of security by encrypting the data travelling between companies and authenticating users to ensure that only authorized users can access the VPN connection”. Mackey, D. (2003) p157

Randall, K. et al. (2002), p377 likened a Virtual Private Network (VPN) to a Tunnel Mode, as a means of transmitting data between two security gateways, such as two routers, that encrypts the entire IP packet and appends a new IP header entering the receiving gateways address in the destination address.

“VPNs enable companies to connect geographically dispersed offices and remote workers via secure links to the private company network, using the public Internet as a backbone.” Lee, H. et al (2000)

Looking at all these definitions closely from various authors, they all stress on security and connectivity. These are the essential features of VPNs because they are able to create a connection between two private networks over a public network by encapsulation and tunnelling protocols in transmitting data and also provide security by encryption and authentication in order to control access to data and resources on the company’s network. In other words a VPN is a network technology that securely connects two or more private networks over an insecure public network such as the internet, so as to enable internal access to files and resources and data transfer.

Types of VPN

There are three different VPN connectivity models that can be implemented over a public network:

  • Remote-access VPNs: It provides remote access to an enterprise customer’s intranet or extranet over a shared infrastructure. Deploying a remote-access VPN enables corporations to reduce communications expenses by leveraging the local dial up infrastructures of internet service providers. At the same time VPN allows mobile workers, telecommuters, and day extenders to take advantage of broadband connectivity. Access VPNs impose security over analog, dial, ISDN, digital subscriber line (DSL), Mobile IP, and cable technologies that connect mobile users, telecommuters, and branch offices.
  • Intranet VPNs: It links enterprise customer headquarters, remote offices, and branch offices in an internal network over a shared infrastructure. Remote and branch offices can use VPNs over existing Internet connections, thus providing a secure connection for remote offices. This eliminates costly dedicated connections and reduces WAN costs. Intranet VPNs allow access only to enterprise customer’s employees.
  • Extranet VPNs: It links outside customers, partners, or communities of interest to an enterprise customer’s network over a shared infrastructure. Extranet VPNs differ from intranet VPNs in that they allow access to uses outside the enterprise.

VPN configurations

There are two main types of VPN configurations for deploying the VPN connection over a public network. These are;

Site-to-site VPNs: This is sometimes referred to as secure gateway-to-gateway connections over the internet, private or outsourced networks. This configuration secures information sent across multiple LANS and between two or more office networks and this can be done effectively by routing packets across a secure VPN tunnel over the network between two gateway devices or routers. The secure VPN tunnel enables two private networks (sites) to share data through an insecure network without fear that the data will be intercepted by unauthorized persons outside the sites. The site-to-site VPN establishes a one-to-one peer relationship between two networks via the VPN tunnel - Kaeo, M. (2004. Also Holden, G. (2003), describes a site-to-site VPN as a link between two or networks. This is mostly used in Intranet VPNs and sometimes in extranet VPNs.

Client-to-Site VPNs: This is a configuration that involves a client at an insecure remote location who wants to access an internal data from outside the organization network’s LAN. Holden, G. (2003) explains a client-to-site VPN as a network made accessible to remote users who need dial-in access. While Kaeo, M. (2004) defined a client-to-site VPN as a collection of many tunnels that terminate on a common shared end point on the LAN side. In this configuration, the user needs to establish a connection to the VPN server in order to gain a secure route into the site’s LAN and this can be done by configuring a VPN client which could either be a computer operating system or hardware VPN – such as a router. By so doing, the connection enables the client to access and use internal network resources. This kind of configuration is also referred to as secure client-to-gateway connection. This is usually used in access VPNs and sometimes in extranet VPNs.

VPN Topology

VPN Components

To create a VPN connection between sites or networks, it involves the use of some components. These components however contain some elements that need to be properly set up in order to aid the transmission of data from one network endpoint to another. These elements include:

  • VPN server: This is either a computer system or router configured to accept connections from the client (i.e. a remote computer) who gains access by dialling in or connecting directly through the internet. This serves as one endpoint of the VPN tunnel.
  • VPN client: This can either be a hardware based system; usually a router that serves as the endpoint of a gateway-to-gateway VPN connection, or a software based system; either an inbuilt or downloaded software program on the computer operating system that can be configured to function as an endpoint in a VPN, such as Windows XP, 2000 or vista or checkpoint client software.
  • Tunnel – this is the link between the VPN server and client endpoints through which the data is sent.
  • VPN protocols – These are set of standardised data transmission technologies the software and hardware systems use to create security rules and policies on data sent along the VPN.

Types of VPN Systems

The VPN components form the endpoints of the VPN connection from one private network to another through the public network. The choice of what components to use is dependent on various factors such as the size of the organization – is it a small, large or growing organization, the cost involved in implementing a VPN either by using new components or existing components and lastly, the choice of which of the components will is best for the connection. There are three components that can be used to set up a VPN connection, also a combination of any of these components can be used to set up a VPN connection.

One way to set up a VPN is to use Hardware device. The hardware device is a VPN component that is designed to connect gateways or multiple LANS together over the public network by using secure protocols to ensure network and data security. There are two devices that are commonly used that perform these functions. One typical hardware based VPN device used is a router, which is used to encrypt and decrypt data that goes in and out of the network gateways. Another device is a VPN appliance, its objective is to terminate VPNs connection and join multiple LANs (Holden, G. 2003). This device creates a connection between multiple users or networks.

The VPN hardware devices are more cost effective for fast growing organizations since they are built to handle more network traffic. It is a better choice when considering the network throughput and processing overhead. It is also a good choice when the routers used at each network ends are the same and controlled by the same organization.

Another way to set up a VPN is to use a Software based component. The software component is a program, otherwise stored on the operating system of the system, which can be used to set up a VPN connection. It is easy to configure and more flexible and cost effective than the hardware VPN. They are suitable in networks that use different routers and firewalls or are best used between different organizations and network administrators – such as partner companies. The software VPNs allow traffic to be tunnelled based on address or protocols unlike hardware-based products, which generally tunnel all traffic that it handles. But software-based systems are generally harder to manage than hardware based systems. They require familiarity with the host operating system, the application itself, and appropriate security mechanisms. And some software VPN packages require changes to routing tables and network addressing schemes (Calsoft labs whitepaper, 2007).

The third component, is the Firewall based VPN; it makes use of the firewall’s mechanisms as well as restricting access to the internal network. This kind of component ensures that the VPN traffic passes through the network gateway of the desired destination and non-VPN traffic is filtered according to the organization’s security policy, this is achieved by it performing address translation, making sure that requirements for strong authentication are in order and serving up real-time alarms and extensive logging.

These three components can be combined together to set up a VPN in order add layers of security on the network. This can be a combination of hardware and software VPN or a combination of all three in the same device. There are several Hardware based VPN packages that offer software –only clients for remote installation, and incorporate some of the access control features more traditionally managed by firewalls or other perimeter security devices (Calsoft labs whitepaper, 2007).

An example of such device is the Cisco 3000 Series VPN concentrator which gives users the option of operating in two modes: client and network extension mode. In the client mode the device acts as a software client enabling a client-to-host VPN connection while in the extension mode it acts as a hardware system enabling a site-to-site VPN connection. Also a combination of all these components by different vendors can be used to set up a VPN connection, but this comes with some challenges. The solution as proposed by Holden, G (2004) is to use a standard security protocol that is widely used and supported by all products.

VPN Security Features

The main purpose of VPN is to ensure security and connectivity (tunnel) over a public network and this cannot be done without some key activities being performed and policies set up. For VPNs to provide a cost–effective and better way of securing data over an insecure network it applies some security principles/measures.

Data sent over the internet using the TCP/IP rule are called packets. A packet consists of the data and an IP header. The first thing that happens to a data being sent across a VPN is that it gets encrypted at the source endpoint and decrypted at the destination endpoint. Encryption is a method of protecting information from unauthorised persons by coding the information that can only be read by the recipient. The method, encryption, is done by using an algorithm which generates a key that allows information to be coded as unreadable by all and only readable to the recipient. The larger the number of data bits used to generate the key, the stronger the encryption and the harder it can be broken by intruders. Data encryption can be done in two ways; it can either be encrypted by transport mode or tunnel mode. These modes are process of transmitting data securely between two private networks.

In transport mode, the data part (otherwise known as the payload) of the IP packet is encrypted and decrypted but not the header by both endpoint hosts. While in the tunnel mode both the data part and header of the IP packet are encrypted and decrypted between the gateways of the source computer and the destination computer.

Another security measure implemented by VPN on data is IP Encapsulation. The VPN uses the principle of IP encapsulation to protect packets from being intercepted on the network by intruders by enclosing the actual IP packet in another IP packet having the source and destination address of the VPN gateways, therefore hiding the data being sent and the private networks IP address which “does not conform to internet addressing standards”.

The third security measure is Authentication. This is a method of identifying a user by proving that the user is actually authorized to access and use internal files. Authenticating a, host, user or a computer that uses the VPN depends on the tunneling protocol established and also encryption for added security. The tunneling protocols that are widely used for authentication over a network are IPSec, PPTP, LT2P and SSL but the most commonly used is the IPSec. The hosts using VPN establish a Security Association (SA) and authenticate one another by exchanging keys which are generated by an algorithm (mathematical formula). These keys can either be symmetric key which is a private key that are exactly the same and only known by the hosts to verify the identity of one another or asymmetric key where each hosts has a private key that can be used to generate a public key. The sending host uses the other’s public key to encrypt information that can only be decrypted by the receiving host private key. The Point-to-Point Tunneling Protocol uses the Microsoft Challenge/Response Authentication Protocol (MS-CHAP) to authenticate computers using VPN by exchanging authentication packets to one another. Also the users connecting to VPN can be authenticated by what the user knows- a password (shared secret), what the user has – a smart card and what the user is – biometrics e.g. finger prints.

VPN Tunnelling Protocols

VPNs create secure connections, called tunnels, through public shared communication infrastructures such as the Internet. These tunnels are not physical entities, but logical constructs, created using encryption, security standards, and protocols - Clemente, F. et al (2005). The VPN tunnelling protocol are set of standardised rules and policy that are employed on the transmitted data. There are various standard of protocol technologies used to create a VPN tunnel and each of these protocols is specially built with some unique security features. In this research work the protocols explained in this section are the most widely used.

Internet Protocol Security (IPSec)

The Internet Protocol Security (IPSec) has proposed in Internet Engineering Task Force (IETF) Request for Comment (RFC) database in RFC (2401), provides data packet integrity, confidentiality and authentication over IP networks. The IPSec policy consists of sets of rules that designate the traffic to be protected, the type of protection, such as authentication or confidentiality, and the required protection parameters, such as the encryption algorithm. (Jason, K. 2003, Hamed, H. et al 2005, Shue, C. et al 2005, Berger, T. 2006, Clemente, F. et al 2005, Liu, L. and Gao, W. 2007). The IPSec protocol provides security at the network layer and offers a collection of methods, protocols, algorithms and techniques to establish a secure VPN connection.

There are two basic modes of IPSec connections, Transport mode and Tunnel mode. The transport mode, attaches an IPSec header to the IP header of the packet. The Tunnel mode is more flexible compared to the transport mode; it encapsulates the IP packet into another IP packet, also attaching an IPSec header to the outer IP packet. This mode protects the entire IP packet. The IPSec modes, are determined and agreed on by both corporate networks at each end of the VPN connection, are contained in the Security Association(SA) among other things. The SA is a set of policy and keys used to protect information such as the IPSec modes, symmetric ciphers, and keys which are used during secure data transmission.

The IPSec uses two main protocols that are usually used with any of the modes, the Authentication Header (AH), and Encapsulating Security Payload (ESP). The authentication header contains a Security Parameter Index(SPI) and provides data authentication and integrity (MD5 or SHA-1 hash) on the whole IP packet but does not guarantee privacy (confidentiality) on the data. ESP guarantees privacy (confidentiality) on the data in addition to all the features AH provides. The ESP header includes an initialization field, which is used by symmetric block ciphers (Berger, T. 2006). Another essential protocol that IPSec uses in establishing the VPN tunnel is the Internet Key Exchange protocol (IKE). This protocol exchanges encryption keys and shares authentication data (RFC 2409) through UDP packets at port 500, and also relies on the Internet security association and key management protocol(ISAKMP) – this protocol allows both endpoints share a public key and authenticate themselves with digital certificates (RFC 2408). To create a VPN tunnel using the IPSec protocol, two things needs to be done. First, both networks need to agree on the SA for the IKE and this is done by using the Diffie – Hellman key exchange method to authenticate one another. After this is done, both network endpoints need to set the parameters for the VPN tunnel including symmetric cipher keys (and key expiry information), security policy, network routes, and other connection-relevant information.

Point-to-Point Tunneling Protocol (PPTP)

Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks (Microsoft TechNet, 2008). PPTP operates at Layer 2 of the OSI model. PPTP, as specified in the RFC 2637 document, is a protocol that describes a means for carrying Point-to-Point protocol (PPP) – described in RFC 1661 – over an IP based network. It is created by a vendor consortium known as the PPTP industry forum which includes Microsoft Corporation, Ascend Communications, 3Com/Primary Access, ECI Telematics, US Robotics and Copper Mountain Networks. PPTP is the most commonly used protocol for dial-up access to the internet. Microsoft included PPTP support in Windows NT Server (version 4) and released a Dial-up Networking pack in Windows 95 and since then PPTP is supported in any Microsoft Windows version.

The PPTP transfers two different types of packets over a VPN connection. The first is the Generic Routing Encapsulation (GRE) (described in RFC 1701 and RFC 1702) packet. It encapsulates PPP frames as tunneled data by attaching a GRE header to the PPP packet or frame. The PPP frame contains the initial PPP payload which is encrypted and encapsulated with PPP while the GRE header contains various control bits, sequence and tunnel numbers. The function of the GRE is to provide a flow- and congestion-control encapsulated datagram service for carrying PPP packets. The total sum up of the packet consists of a Data link header, IP header, GRE Header, PPP Header, Encrypted PPP payload and Data link trailer. The second type of packet is the PPTP control message or packet. The PPTP control packet includes control information such as connection requests and responses, connection parameters, and error messages and it consists of IP header, TCP header, PPTP control message and a data link trailer. In order to create, maintain and terminate the VPN tunnel, the PPTP uses a control connection between the remote client and the server using the TCP port 1723. This two different packets used by PPTP does not ensure privacy on the packet payload, so in order to enhance security on these packets, the PPTP supports encryption and authentication method same as used in PPP connections (Berger, T, 2006 and, 2006). To authenticate packets that pass through the VPN tunnel, PPTP uses any of the following protocols; Extensible Authentication protocol – Transport Layer Security (EAP-TLS), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), Shiva Password Authentication protocol (SPAP) and Password Authentication Protocol (PAP). For encryption, PPTP uses either the Microsoft Point to Point Encryption (MPPE) to encrypt PPP packets that passes between the remote computer and the remote access server by enhancing the confidentiality of PPP encapsulated packets (as described in RCF 3078) or uses the symmetric RC4 stream cipher to encrypt the GRE payload is encrypted.

Layer 2 Tunneling Protocol (L2TP)

The L2TP is an IETF standard established as a result of combining the best features of two protocols: Cisco’s Layer 2 Forwarding (L2F) protocol (described in RFC 2341) and Microsoft’s PPTP (Cisco Systems, 2008). L2TP facilitates the tunneling of PPP frames across an intervening network in a way that is as transparent as possible to both end-users and applications (RFC 2661). L2TP encapsulates the PPP packet (whose payload can either be encrypted or compressed or both can be done) into a User Datagram Protocol (UDP) packet at transport layer. The L2TP can be used over the internet as well as over private intranet and also can send PPP packets over X.25, Frame relay or ATM networks. The UDP packet consists of the following in this order: UDP header with source and destination address using port 1701, control bits representing options like version and length of the packet, sequence number and tunnel ID fields which is used to track the packet and identify the tunnel, the layer 2 frame which contains the following also: Media Access Code (MAC) addresses and the payload. To ensure security and enhance authenticity of the L2TP packet it is combined with IPSec by attaching an IPSec ESP header, using the IPSec transport mode. After combining IPSec to L2TP, the UDP packet is encrypted and encapsulated with an IPSec 'ESP header and trailer' and ESP authentication trailer. The L2TP packet now consists the following: data link header, IP Header, IPSec ESP Header, UDP header, L2TP frame, IPSec ESP trailer, IPSec ESP Authentication trailer and Data Link trailer, resulting in excessive protocol overhead (Berger, T, 2006 and, 2006).

Secure Socket Layer (SSL)

Multiprotocol Label Switching

Literature Review

VPN Protocol Overhead

The tunneling protocols also affect the performance of the network by adding processing overhead on the VPN connection. Implementing these secure technologies on any insecure public network like the internet comes with some weaknesses and this can be as a result of either the specific standards are not sophisticated enough to provide secure, stable and fast data links, or interaction with lower levelled protocols causes serious problems (Berger, T., 2006).For example the IPSec technology employs three kinds of protocols namely AH, ESP and IKE; in order to ensure security over the public network, this in turn adds overhead on the packet being sent. The IPSec uses two modes for transferring packets: transport and tunneling mode. The tunneling mode is the widely used because the tunnel can be used to access several resources and it encapsulate and encrypts all part of the IP packet within another IP packet. In a research paper by Shue, C. Et al (2005), an analysis was carried out in order to evaluate the performance of the overhead associated with IPSec on VPN servers, and the tunneling mode was used. The tunneling mode uses different technologies to ensure added security on the packet: it uses two different kinds of protocols namely ESP and IKE and various encryption algorithm and cryptographic key sizes, by so doing doubling the size of the packet. It is reported that overheads of the IKE protocol are considerably higher than those incurred by ESP for processing a data packet, also cryptographic operations contribute 32 − 60% of the overheads for IKE and 34 − 55% for ESP, and lastly, digital signature generation and Diffie-Hellman computations are the largest contributor of overheads during the IKE process and only a small amount of the overheads can be attributed to the symmetric key encryption and hashing.

Also the layer 2 Tunneling Protocol (L2TP) implemented on the VPN connection originally does not cause any overhead since encryption, authentication and privacy mechanism is not used on the data packet. But when this protocol is combined with IPSec, it adds all the aforementioned mechanism on the packet and makes it very secure but this comes with added problems – protocol overhead, among other things. In this case both the IPSec and L2TP headers are added to the data packet which increases the size of the packet and by so doing, it decreases the VPN performance. (Berger, T., 2006)

The Internet, the Problem.

There are some articles and journals that clearly argues that VPN does not directly incur processing overhead on the network instead the internet affects the performance. According to an article that was posted on the internet by VPN Consultants in San Francisco Bay Area on FAQ on Security, it was argued that most performance slowdowns will in fact result from inconsistent Internet connections rather than by encryption processing overhead.

Also, according to Liu, L. and Gao, W. (2007), explains that IPv4 ( this is an internet protocol that is widely deployed) based networks have inherent deficiencies which have become obstacles to the evolution of networks. They argue that VPNs implemented on the network i.e. the internet automatically inherits some of these problems, such as, big overhead of the net-transport, lack of quality assurance of Service (QoS), NAT traversing problem, and so on. They propose that VPNs implemented on IPv6 (Internet Protocol version 6), which is known as “the next generation protocol” can solve this problems effectively.

Packet Loss

A VPN tunnel can sometimes suffer high packet loss and reordering of packets problems. Reordering can cause problems for some bridged protocols, and high packet loss may have an impact on the optimal configuration of higher-layer protocols. In addition, packet loss is variable and can be very high, and packets can be delivered out-of-order and fragmented. One main cause of packet loss on a network with VPN connection is the use of products from different vendors to implement the connection, which may not interoperate properly, and this can degrade the network performance. An article reviewed in 2007 by Microsoft explains that the problem of packet loss does not occur when IPSec ESP is used to secure traffic between Windows packages, specifically between Windows 2000 (the original retail release) and Windows 2000 Service Pack 1 (SP1) as mentioned in the article; it occurs only with some third-party implementations of IPSec. An experiment conducted in order to ascertain the problem by using Windows 2000 SP1 as the VPN and a Cisco IOS gateway to implement a VPN connection using a Layer 2 Tunneling Protocol (L2TP)/IPSec virtual private network (VPN) tunneling protocol to create the connection, shows that the tunnel keeps disconnecting as a result of product incompatibility. It was also noted that the problem only occurs when the L2TP/IPSec tunneling protocol is used. This problem was verified by watching the Point-to- Point Protocol (PPP) send log on the Cisco IOS gateway and matching it with the PPP receive log from Windows 2000 SP1. From the log status, the Cisco gateway send a PPP data frame that is not listed as being received in the Windows 2000 SP1 PPP log. However, Microsoft team confirmed this as a problem with the original Windows 2000 and the Service Pack 1 and made corrections in the release of service pack 2.

Remote User CPU capability/ CPU Usage

Another factor that needs to be put into consideration when implementing a client to site VPN configuration is to make sure that the remote users systems processor can handle the load of the packets being sent in on daily basis. The remote users system being the VPN client and at the other end of the connection, it is responsible for establishing, maintaining, and using the tunnel, as well as for encrypting and encapsulating data, which can prove demanding on the CPU, depending on the level of encryption. Lowe, S. (2003) argues that in order to enhance performance for these machines the encryption should be disabled, just to increase the overall performance of the VPN. Also compressing data before being sent over a VPN connection can hamper the performance of the client system if the CPU does not have the resources to accept such packets and even if it had the capability to decompress the data, it could be too big a load on the CPU. VPNs require specific hardware and/or software devices to terminate the encrypted sessions. This centralized encryption/decryption imposes heavy CPU loads on the devices, and such devices tend to be somewhat expensive, increasing in price with the scale of the number of simultaneous sessions they can support. Pena, C. and Evans, J. (2000), argues that Virtual private networks implemented in software provide an economic and accessible alternative to hardware VPN solutions but software VPNs may have a significant impact on performance, producing high CPU usage and limiting network throughput. Based on their experiment to measure the performance of several VPN programs it was noted that a VPN connection over a 100 Mb/s Ethernet link shows that the transference speed can degrade more than 65% while the CPU usage can reach 97%, when strong encryption is enabled. In addition, compression implemented at the user level adds an additional CPU overhead that has a negative effect on the performance. However, a test carried out on a low speed serial link showed that the CPU usage was not significantly affected by the VPN. They went further to argue that, compression can be enabled without overhead, therefore making the network throughput to increase but this is dependent on the data type. In essence, when the network connection is fast, the software based VPN is unable to handle the data transmission but when the network connection is slow, the CPU does not easily gets overloaded.  


专用网络VPN - 进化概述
在六十年代,地点连接在一起,使数据传输通过使用模拟电话线和2,400 bps的调制解调器,从AT&T租赁,企业有没有其他更快的调制解调器,因为他们可以选择从电话公司是由政府控制的。但直到20世纪80年代初,企业能够以更高的速度使用9600 bps的调制解调器连接到网站,因为出现了其他电话公司作为政府调控和政策的变化,在电话的结果。在此期间,有没有多移动工作者除了调制解调器链接是静态的而不是动态的,现在是什么。模拟电话线被永久连接到网站,并特意挑选线(称为有条件线) ,专门建立全公司使用,从普通电话线,这些线是不同的。这种技术确保了充分的带宽和隐私,但这次来到付出很大的代价,即付款预计即使该行被使用或不使用的全部带宽。
另一个创新用于连接网站出来的数字数据服务( DDS )是在20世纪70年代中期。这是第一个数字为56 Kbps的连接服务,并用于专用线路。这项服务后来成为一项重大而有益的创新广域网,它的前身是普遍使用的今天,如T1的服务,其中包括24个独立的通道,每个人都可以携带多达64 Kbps的数据或语音通信到其他服务。在20世纪70年代末发起VPN的想法称为X.25创新与引进。这是一个广域网分组交换虚拟连接( VC )的形式逻辑数据流分开。通过此功能,服务提供商能够发送尽可能多的点至点的VC整个交换器的网络基础设施,这取决于每个端点有一个有利于通信的移动设备中的网页。
在20世纪80年代初的某个时候, X.25服务提供商提供VPN服务的客户(即企业) ,当时使用的网络协议以及尝鲜的TCP / IP的。
多年来,在20世纪90年代的其他网络技术的部署,如高速帧中继和异步传输模式( ATM )交换的专用网络连接。这种组网技术提供给虚拟连接到企业( 155 Mbps)的速度可达OC3 。建立这种技术涉及使用客户的IP路由器(客户端设备或CPE )帧中继或ATM虚电路的部分或全网状的其他CPE设备互连的,换句话说少设备所需的组件设置。 - 梅斯, C. (2003) 。一些定义和一些研究人员,如勤, T. (2001) ,帧中继和ATM技术被称为基于VPN技术的标准。这些技术专线连接网站后,获得了这么多的人气,他们也很容易成立。随着越来越多的速度在业务增长和全球扩张,从而使员工移动和异地工作,帧中继技术是不是最好的,因为它只是一个叠加技术,用于远程访问。在尽可能租用线路连接营业场所是一个更好的替代技术,它拥有过于昂贵。随着互联网和它的广泛使用,在日常交易中,企业已采用该技术实施,这是价格相对便宜,灵活和可扩展的VPN连接的各个站点之间的数据传输和访问,以确保两个站点之间跨越不安全的网络发送的数据被篡改,未经授权的人员。
虚拟专用网络( VPN ) ,这是最能说明他们的产品由不同的供应商有不同的定义。一些书籍,期刊,白皮书,会议论文和互联网网站的技术是什么有不同的定义,这些定义通常用不同的词和句子结构,但他们大多说同样的事情。为了得到一个很好的理解什么技术是所有关于,由几个人从不同的来源给出的定义将被看着,从整个研究工作的所有定义,将用于将制定一个简明的定义。
“虚拟专用网络(VPN)的网络使用公共电信基础设施,如互联网,为客户提供安全访问其组织的网络远程办公室或个人用户。 ” (2008年) 。
“ VPN是两个或多个计算机系统,通常一组有限的公网接入的通信” “在公共网络上安全地连接到专用网络(网络建立和维护一个组织仅仅为了其自己使用) 。 “ ( CALSOFT实验室的白皮书, 2007年)
青柳,S.等人。 (2005)虚拟专用网(VPN),使私人通过公共网络(如Internet)连接到LAN 。通过VPN,数据发送模拟拨号链路的方式,两个节点之间通过公共网络。的VPN系统有两种类型,一种是用于连接局域网在Internet上,另一个是用于在Internet上的LAN连接的远程节点。
“ VPN隧道封装IP数据包中的数据来传输信息,需要额外的安全性,或不符合互联网寻址标准。其结果是,远程用户作为隧道的虚拟网络上的节点。 “ - ​​的缴, M. (2004) P135 。
“ VPN是一个虚拟的网络连接,利用互联网建立的连接是安全的。 ”霍顿, G. (2003年) ,页286 。
“ VPN使用公共网络,如互联网,通信方便,但是它增加了一个安全层,对数据进行加密往返公司和用户进行身份验证,以确保只有授权用户才能访问VPN连接” 。麦基, D. (2003) P157
兰德尔,K.等。 (2002) , P377比喻成一个虚拟专用网络( VPN )隧道模式,传输数据的手段,两个安全网关之间,如两个路由器,加密整个IP数据包,并追加新的IP包头,进入接收网关地址中的目的地址。
“的VPN使公司能够将分散在各地的办事处和远程员工通过安全链接到私人公司网络,使用公共互联网的骨干。 ”李H.等(2000 )
远程访问VPN :提供远程访问,共享基础设施的企业客户的Intranet或Extranet 。部署远程接入VPN利用本地拨号互联网服务提供商的基础设施,使企业降低通信费用。与此同时, VPN允许移动员工,远程办公,每天延长利用宽带连接。访问VPN强制执行安全模拟,拨号,ISDN,数字用户线( DSL ) ,移动IP和电缆技术连接移动用户,远程办公和分支机构。
内网的VPN :在内部网络通过共享基础设施,连接企业客户的总部,远程办事处和分支机构。远程和分支机构可以使用VPN通过现有的互联网连接,从而提供了一种安全的连接远程办公室。这消除了昂贵的专用连接,并降低广域网成本。内网的VPN只允许访问企业客户的员工。
外部网VPN :链接外部客户,合作伙伴或企业客户的网络,共享基础设施的兴趣社区。外联网VPN的不同,他们允许访问企业以外的用途从Intranet VPN的。
站点到站点VPN :这有时被称为安全网关到网关连接在互联网上,私人或外包网络。此配置确保跨多个局域网和两个或两个以上的办公网络之间发送的信息,这是可以做到有效地路由数据包在两个网关设备或路由器之间的网络在一个安全的VPN隧道。安全的VPN隧道,可以将两个专用网络(网站)通过一个不安全的网络共享数据,该数据将被拦截未经授权的人以外的网站,而不必担心。站点到站点VPN建立一到两个网络之间通过VPN隧道的同侪关系 - 缴, M. (2004年,霍顿, G. (2003) ,描述了作为一个站点到站点VPN主要用于两个或两个网络之间的联系,这是在Intranet VPN的,有时在外部网VPN 。
客户机到站点VPN :这是一个不安全的远程位置,谁愿意从外部组织网络的LAN访问的内部数据,涉及客户端的配置。霍顿, G. (2003)解释了作为一个网络拨号访问远程用户需要访问的客户机到站点VPN 。虽然缴, M. (2004)定义了一个客户机到站点VPN作为一个集合了许多隧道终止的LAN端共享一个共同的终点。在此配置中,用户需要建立以获得安全的路由到该网站的LAN和这可以被做,它可以或者是一个计算机作业系统或硬件的VPN - 如一个VPN的客户端配置到VPN服务器的连接一个路由器。这样,连接使客户端能够访问和使用内部网络资源。这种配置也称为安全客户端 - 网关连接。这通常用于在接入VPN ,有时在外部网VPN 。
VPN客户端:这可以是基于硬件的系统,通常一台路由器作为网关到网关的VPN连接的端点,或基于软件的系统,无论是内置或下载的软件程序在计算机上的操作系统,可以被配置为充当一个VPN中的一个端点,如2000或Windows XP中, Vista或检查点的客户端软件。
隧道 - 这是通过该数据被发送的VPN服务器和客户端终结点之间的链路。
VPN协议 - 这是一套标准化的数据传输技术的软件和硬件系统的用于创建VPN沿发送的数据的安全规则和政策的。
VPN组件形成从一个专用网络VPN连接的端点到另一个通过公共网络。选择使用哪些组件是依赖于多种因素,如组织的规模 - 它是一个小,或大或成长的组织,所涉及的成本实现一个VPN通过使用新的组件或现有的组件,最后,选择组件最好是用于连接。有三个组成部分,可以用来建立一个VPN连接,也可使用这些组件的任何组合,以建立一个VPN连接。
建立一个VPN的一种方式是使用硬件设备。硬件设备是VPN组件,旨在网关或多个局域网连接在一起在公共网络上使用安全的协议,以确保网络和数据安全。有两种常用的设备,执行这些功能的。一个典型的基于硬件的使用VPN的移动设备是一个路由器,用于加密和解密数据,在网络网关。另一个设备是一个VPN设备,其目标是要终止的VPN连接,连接多个局域网(霍顿2003年, G. ) 。此设备创建多个用户或网络之间的连接。
建立一个VPN的另一种方法是使用基于软件的组件。的软件组件是一个程序,否则存储在系统的操作系统,它可以被用来设置一个VPN连接。这是很容易配置和更灵活,更符合成本效益比硬件VPN 。他们适合在网络中使用不同的路由器和防火墙之间,最好使用不同的组织和网络管理员 - 如合作伙伴公司。该软件的VPN允许流量通过隧道地址或协议的基础上不像基于硬件的产品,一般隧道,它可以处理所有流量。但是,基于软件的系统通常比基于硬件的系统更难管理。它们需要在主机操作系统,应用程序本身,以及相应的安全机制的熟悉。一些软件VPN软件包需要修改路由表和网络解决方案( CALSOFT实验室的白皮书,2007年) 。
这三个组件可以结合在一起,建立一个VPN中,为了在网络上添加安全层。这可以是在同一设备中的硬件和软件的VPN的组合或它们的组合的所有三个。有几个基于硬件的VPN软件包,提供客户端远程安装软件,并结合一些更加传统的管理防火墙或其他周边安全设备( CALSOFT实验室的白皮书,2007年)的访问控制功能。
这种设备的一个例子是思科3000系列VPN集中器,让用户选择两种模式:客户端和网络扩展模式的经营中。在客户端模式下,设备作为一个客户端软件,使客户端主机的VPN连接,同时在扩展模式下,它作为一个硬件系统,使站点到站点VPN连接。所有这些组件的组合由不同的供应商也可以被用来建立一个VPN连接,但带有一些挑战。霍尔登,G (2004)提出的解决方案是使用标准的安全协议,它被广泛使用,所有产品支持。
VPN的主要目的是为了保证在公共网络的安全和连接(隧道) ,这不能做没有一些关键活动的完成情况和政策设立。 VPN来提供具有成本效益的和更好的方法确保数据在不安全的网络,它适用于一些安全原则/措施。
在互联网上使用TCP / IP规则发送的数据包。的数据包组成的数据和IP报头。通过VPN发送数据发生的第一件事情是它得到源端点加密和解密目的端点。加密是一种保护信息免受未经授权的人士所编码的信息只能被收件人阅读。的方法,加密是通过使用一种算法生成一个密钥,允许将信息编码为不可读的只可读给收件人。用于生成密钥的数据位的数字越大,加密强度越高,就越难可以被入侵者打破。数据加密,可以通过两种方式完成,它可以进行加密传输模式和隧道模式。这些模式是两个专用网络之间安全的数据传输过程。
另一个VPN数据安全的措施是IP封装。 VPN使用IP封装的原则,以保护入侵者包围的实际IP数据包在另一个IP数据包的源地址和目的地址的VPN网关在网络上被截获的数据包,因此躲在被发送的数据和私人网络IP地址“ ,不符合互联网寻址标准” 。
第三安全措施是验证。这是一个识别用户的方法,证明实际上是授权的用户访问和使用内部文件。验证,主机,使用VPN隧道协议建立和加密以增加安全性取决于用户或计算机。隧道协议在网络上被广泛用于身份验证的IPSec , PPTP , LT2P和SSL ,但最常用的是安全。主机使用VPN建立安全关联(SA )和验证彼此交换密钥生成算法(数学公式) 。这些键可以是对称密钥,这是一个专用密钥,是完全一样的,唯一已知的由主机的身份进行验证的一个或非对称密钥,其中每个主机有一个专用密钥,可以用于生成公钥。发送主机使用对方的公钥加密的信息只能由接收主机的私钥解密。点对点点对点隧道协议使用Microsoft质询/响应身份验证协议(MS-CHAP )验证电脑使用VPN的认证报文交换彼此。此外,用户可以验证连接到VPN用户知道的密码(共享密钥) ,该用户具有哪些 - 智能卡和用户是什么 - 生物识别技术如指纹。
创建安全的VPN连接,称为隧道,通过公共共享通信基础设施(如Internet) 。这些隧道是不是物理实体,但逻辑结构,使用加密,安全标准和协议 - 克莱门特, F. (2005)等。 VPN隧道协议传输的数据采用标准化的规则和政策。有各种不同协议的技术标准,用于创建VPN隧道,这些协议都专门修建了一些独特的安全功能。在本研究工作中,最广泛使用的协议在此部分说明。
Internet协议安全(IPSec)提出了在Internet工程任务组(IETF )征求意见文档( RFC )在RFC ( 2401) ,数据库提供了数据包的完整性,机密性和认证通过IP网络。 IPSec策略由一组规则指定交通要保护,保护,如身份验证或保密的类型,以及必要的保护参数,如加密算法。 (贾森2003年, K. ,哈米德, 2005年H.等,树, C.等人,2005年,伯杰, T. 2006年,克莱门特, L. , F.等人,2005年,刘和高2007年, W. )。 IPSec协议提供了在网络层的安全性,并提供了一系列的方法,协议,算法和技术,建立安全的VPN连接。
有两种基本模式的IPSec连接,传输模式和隧道模式。传输模式下,一个IPSec报头的数据包的IP头。隧道模式是更灵活的运输方式相比,它的IP数据包封装到另一个IP数据包,还附带一个IPSec报头外的IP数据包。这个模式保护的整个IP数据包。安全模式,被确定并同意由双方企业网络的VPN连接的每一端,都包含其中包括在安全关联(SA) 。 SA是一家集策略和密钥用来保护信息,如安全模式,对称密码和安全的数据传输过程中使用的键。
IPSec使用两种主要的协议,通常是用任何模式,认证头(AH)和封装安全有效负载( ESP ) 。身份验证头包含一个安全参数索引(SPI)和整个IP数据包提供数据源认证和完整性(MD5或SHA-1散列) ,但并不保证对数据的保密性(保密性) 。 ESP保证隐私(保密性)中的数据,除了AH提供的所有功能。 ESP报头包括对称的块密码(伯杰2006年, T. ) ,它是用来初始化字段。建立VPN隧道的另一个重要协议, IPSec使用Internet密钥交换协议( IKE ) 。此协议交换加密密钥和共享身份验证数据( RFC 2409)通过UDP包在端口500 ,也依赖于互联网安全关联和密钥管理协议( ISAKMP ) - 此协议允许两个端点共享一个公共密钥和数字证明自己的身份证书( RFC 2408) 。要创建一个使用IPSec协议的VPN隧道,需要做两件事情。首先,无论是网络的IKE SA ,这是通过使用Diffie - Hellman密钥交换方法来验证彼此需要同意。这样做了之后,无论是网络端点需要设置VPN隧道的参数,包括对称密钥(密钥失效信息) ,安全策略,网络路由,和其他连接相关的信息。
点对点点对点隧道协议(PPTP)是一种网络协议,使数据的安全传输,远程客户端通过创建一个虚拟专用网络(VPN )通过TCP / IP为基础的数据网络( Microsoft TechNet上的一家民营企业服务器,2008)。 PPTP工作在OSI模型的第2层。 PPTP ,如RFC 2637文档中指定的,是一种协议,它描述了一个基于IP的网络进行点对点点对点协议( PPP ) - RFC 1661中描述 - 手段。它是由被称为PPTP产业论坛,其中包括微软公司,登高通信,访问3Com/Primary , ECI Telematics公司,美国机器人铜山网络供应商财团。 PPTP是最常用的拨号接入到互联网的协议。微软在Windows NT Server (版本4)支持PPTP ,并发布了在Windows 95拨号网络包,从那时起, PPTP是在任何Microsoft Windows版本的支持。
PPTP两种不同类型的数据包传输通过VPN连接。首先是通用路由封装( GRE ) ( RFC 1701和RFC 1702中描述的)数据包。封装PPP帧传输的数据通过GRE头连接到PPP包或帧。 PPP帧包含初始PPP有效载荷加密和封装PPP协议,而GRE报头包含各种控制位,顺序和隧道数。 GRE考试的功能是提供的流量和拥塞控制承载PPP报文封装的数据报服务。包总额由数据链路层报头, IP头, GRE头, PPP报头,加密PPP有效载荷和数据链路拖车。所述第二类型的数据包是PPTP控制消息或数据包。 PPTP控制报文包括控制信息,如连接请求和响应,连接参数,和错误消息,它包括IP头, TCP头, PPTP控制消息和数据链路拖车。为了建立,维护和终止VPN隧道, PPTP使用一个控制连接之间的远程客户端和服务器使用的TCP端口1723 。 PPTP PPTP使用这两种不同的报文不保证隐私数据包有效负载,因此,为了提高安全性对这些数据包,支持加密和认证方法一样使用PPP连接(伯杰,T, 2006年和 2006年)。为了验证数据包通过VPN隧道, PPTP使用以下协议的可扩展身份验证协议 - 传输层安全( EAP-TLS) , Microsoft质询握手身份验证协议(MS-CHAP ) , Shiva密码身份验证协议( SPAP )密码身份验证协议( PAP ) 。对于加密, PPTP使用微软点对点加密(MPPE )来加密PPP包在远程计算机和远程访问服务器之间传递,提高PPP封装的数据包(如在RCF 3078 )的保密性或采用RC4对称点流密码加密GRE有效载荷加密。
L2TP是一个IETF标准,确立为两个协议:思科第2层转发(L2F )协议( RFC 2341中描述)和微软的PPTP (思科系统公司, 2008年)的最佳功能相结合的结果。 L2TP有利于整个PPP帧的隧道干预网络一个尽可能透明终端用户和应用程序( RFC 2661)的方式。 L2TP协议封装的PPP数据包(有效载荷可以被加密或压缩或两者可以做的)到用户数据报协议(UDP)数据包在传输层。 L2TP可以在互联网上使用,以及对私人内联网,也可以发送PPP报文通过X.25 ,帧中继或ATM网络。 UDP数据包包括以下顺序: UDP报头的源地址和目的地址,使用1701端口,控制位代表选择喜欢的版本和长度的包,序列号,这是用来跟踪数据包,并确定隧道ID字段隧道, 2层框架还包含以下:媒体接入代码( MAC )地址和有效载荷。为了确保安全,并加强它是结合通过附加一个IPSec ESP报头,使用IPSec传输模式的IPSec的L2TP数据包的真实性。 IPSec的L2TP结合后, UDP报文进行加密和封装一个IPSec ESP报头和挂车和ESP认证拖车。 L2TP数据包现在包括以下内容:数据链路层报头, IP报头的IPSec ESP报头, UDP报头, L2TP帧, IPSec ESP拖车中, IPSec ESP的验证拖车和数据链路拖车,导致过多的协议开销(伯杰,T, 2006年和 ,2006年) 。
安全套接字层(SSL )
隧道协议在VPN连接添加处理开销也会影响到网络性能的。自带的一些弱点,这可能是由于实施这些任何不安全的公共网络,如互联网安全技术的具体标准不够完善,不能提供安全,稳定,快速的数据链路,或者与低夷为平地的协议会导致严重问题(伯杰, T. ,2006) 。例如IPSec技术,采用三种协议,即AH,ESP和IKE ,以保证在公共网络上的安全性,这反过来又增加了开销数据包被发送。 IPSec使用两种模式传输数据包:交通和隧道模式。隧道方式是广泛使用的,因为隧道可以用来访问一些资源,它封装在另一个IP数据包的IP包的所有部分进行加密。树,C.等人(2005年)的研究论文,进行了分析,以评估上的IPSec VPN服务器相关的性能开销,使用隧道模式。隧道模式使用不同的技术,以确保在数据包上附加的安全:使用两种不同的协议,即ESP和IKE和各种不同的加密算法和加密的密钥大小,这样的数据包的大小增加一倍。据悉, IKE协议的开销都大大高于所发生的费用由ESP用于处理数据包,加密操作也贡献32 - 60 %的开销用于IKE和34 - 55 %的ESP ,最后,生成数字签名的Diffie-Hellman计算的费用是最大的功臣在IKE过程中,只有少量的开销,可以归结为对称密钥加密和哈希。
第2层隧道协议(L2TP ) VPN连接上实现最初不会造成任何开销,因为不使用的数据包加密,身份验证和保密机制。但是,当这个协议与IPSec结合,它增加了所有上述机制上的数据包,使得它非常安全,但是这与加入的问题 - 协议开销,除其他事项。在这种情况下,无论是IPSec和L2TP报头被添加到该数据包,这增加了的数据包的大小,并通过这样做,它降低了VPN性能。 (伯杰, T. , 2006年)