Overview of VPN Evolution of Private Networks

Overview of VPN Evolution of surreptitious Ne twainrksBefore the emergence and popularity virtual cliquish electronic ne iirks have gained as a honest and cheaper medium for untoughened information to be admission feeed and transmitted betwixt devil or more than corporate interlock all oer a humanity meshing much(prenominal) as the earnings, early(a) cyberspace technologies have been innovated and gived to come to within business sites and cross substances to different sites that be miles away from each opposite.In the sixties, sites were connected in concert to en commensurate selective information transfer through the implement of analog phone conceive ups and 2,400-bps directionms hired from ATT, businesses had no other faster modems they could choose from beca drug abuse the telephone companies were crackled by the giving medication. It was not until the early eighties that businesses were able to connect to sites at higher speed development 9,600-bps modems because other telephone companies emerged as a result of the changes in g everywherenment control and policy on telephone. During this period, there were not much mobile workers besides the modem middlemans were soundless not as dynamic as what is available now. The analog phone lines were permanently wired to the sites and were curiously selected lines (called conditional lines) that were specialisedally reinforced for full time use by companies these lines be different from mending phone lines. This technology pictured full bandwidth and secrecy simply this came at a great cost, i.e. payment is anticipate for the full bandwidth even if the line was utilize or not. near other innovation that was use for connecting sites which came out in the mid 1970s was the Digital Data Service (DDS). This was the first digital servicing with a cont meet of 56 Kbps and was employ for unavowed line. This service later became a major and useful innovation for full( a) argona ne twainrks, which grew into other services that are popularly used today such as the T1 service which consists of 24 separate channels and each skunk carry up to 64 Kbps of either data or voice duty. In the late 1970s the idea of VPN was initiated with the introduction of an innovation called the X.25. It is a practical(prenominal) Connection (VC) form of sick of(p) packet switching which logically separates data streams. With this function, the service provider is able to send as many point-to-point VCs across a switch ne dickensrk infrastructure, depending each endpoints have a pull that facilitates communion in the site.Sometime in the early 1980s, X.25 service providers creviceed VPN services to customers (i.e. businesses) who used network communications protocols at the time as well as early adopters of transmission control protocol/IP.Over years, in the nineties other networking technologies were deployed for connecting private networks such as the high s peed Frame relay and Asynchronous tilt Mode (ATM) switching. This networking technologies were provided to give virtual partnership to businesses at the speed of up to OC3 (155 Mbps). The circumstancess for garbting up this liberal of technologies involved the use of customer IP despatchrs (customer premise equipment, or CPE) interconnected in a overtone or full mesh of frame relay or ATM VCs to other CPE devices, in other words less equipments are needed for its primed(p) up. Metz, C. (2003). Based on rough comments and roughly researchers alike Mangan, T. (2001), the frame relay and ATM technology are referred the received for VPN technology. These technologies gained so much popularity after the leased line in connecting sites and they were as well as easy to set up. With the increasing speed at which businesses grow and cover globally, thereby renting staffs to be mobile and work offsite, the frame relay is not the outgo technology to use for removed access sin ce it is just an overlay technology. In as much as the leased line is a better technology alternative for connecting business sites, it is excessively expensive to be owned. With the advent of the cyberspace and its wide use in everyday transaction, businesses have adopted the technology for transmitting and accessing data across various sites by implementing a VPN connection, which is relatively cheap, flexible and scalable, amidst some(prenominal) sites in order to situate the data that are direct across the unfixed profit from universe tampered by unauthorized persons.VPN exposition there are various definitions of a Virtual Private earnings (VPN) which are stipulation by various traffickers which best describes their products. Several books, journals, whitepapers, conference papers and internet sites have various definitions of what the technology is, and these definitions are usually put in different words and sentence structure but nearlyly they place the same th ing. In order to get a good understand of what the technology is all about, definitions given by several(prenominal) people from different informants will be looked at and a concise definition will be formulated from all definitions that will be used throughout this research work.A virtual private network (VPN) is a network that uses a normal telecommunication infrastructure, such as the net, to provide strange offices or individual users with secure access to their organizations network. SearchSecurity.com (2008).A VPN is a group of two or more computer systems, typically connected to a private network (a network built and maintained by an organization solely for its own use) with limited public-network access that communicates securely over a public network. (C in additionft labs whitepaper, 2007)Aoyagi, S. et al. (2005) A Virtual Private Network (VPN) enables a private connection to a topical anaesthetic area network through a public network such as the Internet. With a VPN, data is sent between two nodes across a public network in a manner that emulates a dial-link. thither are two types of VPN systems, one is used for connecting LANs across the Internet, and the other is used to connect a remote node to a LAN across the Internet.A VPN turn over encapsulates data within IP packets to transportation information that take ins additional credential or does not conform to internet addressing standards. The result is that remote users act as virtual nodes on the network into which they have tunnelled. Kaeo, M. (2004) p135.A VPN is a virtual network connection that uses the internet to establish a connection that is secure. Holden, G. (2003), p 286.A VPN uses a public network, such as the internet, to facilitate communication however it adds a layer of hostage by enroling the data travelling between companies and authenticating users to ensure that only authorized users digest access the VPN connection. Mackey, D. (2003) p157Randall, K. et al. (200 2), p377 likened a Virtual Private Network (VPN) to a delve Mode, as a means of transmitting data between two trade protection gateways, such as two routers, that encrypts the entire IP packet and appends a new IP chief entering the receiving gateways address in the destination address.VPNs enable companies to connect geographically dispersed offices and remote workers via secure links to the private company network, apply the public Internet as a backbone. Lee, H. et al (2000) spirit at all these definitions closely from various authors, they all stress on security and connectivity. These are the meaty features of VPNs because they are able to create a connection between two private networks over a public network by encapsulation and tunnelling protocols in transmitting data and also provide security by encryption and stylemark in order to control access to data and resources on the companys network. In other words a VPN is a network technology that securely connects two or m ore private networks over an insecure public network such as the internet, so as to enable internal access to files and resources and data transfer.Types of VPNThere are three different VPN connectivity models that can be enforced over a public networkRemote-access VPNs It provides remote access to an enterprise customers intranet or extranet over a shared infrastructure. Deploying a remote-access VPN enables corporations to reduce communications expenses by leveraging the local dial up infrastructures of internet service providers. At the same time VPN allows mobile workers, telecommuters, and day extenders to take advantage of broadband connectivity. Access VPNs impose security over analog, dial, ISDN, digital subscriber line (DSL), mobile IP, and cable technologies that connect mobile users, telecommuters, and branch offices.Intranet VPNs It links enterprise customer headquarters, remote offices, and branch offices in an internal network over a shared infrastructure. Remote and branch offices can use VPNs over existing Internet connections, thus providing a secure connection for remote offices. This eliminates costly dedicated connections and reduces WAN costs. Intranet VPNs allow access only to enterprise customers employees.Extranet VPNs It links alfresco customers, partners, or communities of use up to an enterprise customers network over a shared infrastructure. Extranet VPNs differ from intranet VPNs in that they allow access to uses outside the enterprise.VPN manikinsThere are two main types of VPN phases for deploying the VPN connection over a public network. These areSite-to-site VPNs This is sometimes referred to as secure gateway-to-gateway connections over the internet, private or outsourced networks. This configuration secures information sent across multiple LANS and between two or more office networks and this can be make effectively by routing packets across a secure VPN tunnel over the network between two gateway devices or routers. T he secure VPN tunnel enables two private networks (sites) to share data through an insecure network without fear that the data will be intercepted by unauthorized persons outside the sites. The site-to-site VPN establishes a matched peer relationship between two networks via the VPN tunnel Kaeo, M. (2004. overly Holden, G. (2003), describes a site-to-site VPN as a link between two or networks. This is mostly used in Intranet VPNs and sometimes in extranet VPNs.Client-to-Site VPNs This is a configuration that involves a guest at an insecure remote location who wants to access an internal data from outside the organization networks LAN. Holden, G. (2003) explains a client-to-site VPN as a network made accessible to remote users who need dial-in access. While Kaeo, M. (2004) defined a client-to-site VPN as a collection of many tunnels that discontinue on a common shared end point on the LAN side. In this configuration, the user call for to establish a connection to the VPN server in order to gain a secure route into the sites LAN and this can be done by configuring a VPN client which could either be a computer operate system or ironware VPN such as a router. By so doing, the connection enables the client to access and use internal network resources. This kind of configuration is also referred to as secure client-to-gateway connection. This is usually used in access VPNs and sometimes in extranet VPNs.VPN regional anatomyVPN ComponentsTo create a VPN connection between sites or networks, it involves the use of some components. These components however contain some elements that need to be properly set up in order to aid the transmission of data from one network endpoint to another(prenominal). These elements includeVPN server This is either a computer system or router configured to accept connections from the client (i.e. a remote computer) who gains access by dialling in or connecting right off through the internet. This serves as one endpoint of the VPN tunnel.VPN client This can either be a hardware based system usually a router that serves as the endpoint of a gateway-to-gateway VPN connection, or a packet based system either an inbuilt or downloaded software program on the computer operating system that can be configured to function as an endpoint in a VPN, such as Windows XP, 2000 or vista or checkpoint client software.Tunnel this is the link between the VPN server and client endpoints through which the data is sent.VPN protocols These are set of standardised data transmission technologies the software and hardware systems use to create security orders and policies on data sent along the VPN.Types of VPN SystemsThe VPN components form the endpoints of the VPN connection from one private network to another through the public network. The cream of what components to use is dependent on various factors such as the size of the organization is it a small, large or growing organization, the cost involved in implementing a V PN either by using new components or existing components and lastly, the choice of which of the components will is best for the connection. There are three components that can be used to set up a VPN connection, also a conclave of any of these components can be used to set up a VPN connection. whizz way to set up a VPN is to use Hardware device. The hardware device is a VPN component that is designed to connect gateways or multiple LANS together over the public network by using secure protocols to ensure network and data security. There are two devices that are commonly used that perform these functions. One typical hardware based VPN device used is a router, which is used to encrypt and decrypt data that goes in and out of the network gateways. Another device is a VPN appliance, its objective is to terminate VPNs connection and join multiple LANs (Holden, G. 2003). This device creates a connection between multiple users or networks.The VPN hardware devices are more cost effective for fast growing organizations since they are built to handle more network traffic. It is a better choice when considering the network throughput and process overhead. It is also a good choice when the routers used at each network ends are the same and controlled by the same organization.Another way to set up a VPN is to use a Software based component. The software component is a program, otherwise stored on the operating system of the system, which can be used to set up a VPN connection. It is easy to configure and more flexible and cost effective than the hardware VPN. They are suitable in networks that use different routers and firewalls or are best used between different organizations and network administrators such as partner companies. The software VPNs allow traffic to be tunnelled based on address or protocols unlike hardware-based products, which generally tunnel all traffic that it handles. But software-based systems are generally harder to manage than hardware based sys tems. They require familiarity with the host operating system, the application itself, and appropriate security mechanicss. And some software VPN packages require changes to routing tables and network addressing schemes (Calsoft labs whitepaper, 2007).The third component, is the Firewall based VPN it makes use of the firewalls chemical mechanisms as well as restricting access to the internal network. This kind of component ensures that the VPN traffic passes through the network gateway of the desired destination and non-VPN traffic is filtered according to the organizations security policy, this is achieved by it performing address translation, making sure that requirements for voiceless authentication are in order and serving up real-time alarms and extensive logging.These three components can be combined together to set up a VPN in order add layers of security on the network. This can be a faction of hardware and software VPN or a combination of all three in the same device. Th ere are several Hardware based VPN packages that offer software only clients for remote installation, and incorporate some of the access control features more traditionally managed by firewalls or other perimeter security devices (Calsoft labs whitepaper, 2007).An example of such device is the Cisco 3000 Series VPN concentrator which gives users the cream of operating in two modes client and network concomitant mode. In the client mode the device acts as a software client enabling a client-to-host VPN connection succession in the extension mode it acts as a hardware system enabling a site-to-site VPN connection. Also a combination of all these components by different vendors can be used to set up a VPN connection, but this comes with some challenges. The solution as proposed by Holden, G (2004) is to use a standard security protocol that is widely used and supported by all products.VPN Security FeaturesThe main purpose of VPN is to ensure security and connectivity (tunnel) over a public network and this cannot be done without some key activities being performed and policies set up. For VPNs to provide a costeffective and better way of securing data over an insecure network it applies some security principles/ judges.Data sent over the internet using the transmission control protocol/IP rule are called packets. A packet consists of the data and an IP gallery. The first thing that happens to a data being sent across a VPN is that it gets encrypted at the source endpoint and decrypted at the destination endpoint. Encryption is a method of harboring information from unauthorised persons by coding the information that can only be read by the recipient. The method, encryption, is done by using an algorithm which generates a key that allows information to be coded as unreadable by all and only readable to the recipient. The larger the enactment of data bits used to generate the key, the stronger the encryption and the harder it can be broken by intruders. Data encryption can be done in two ways it can either be encrypted by transport mode or tunnel mode. These modes are process of transmitting data securely between two private networks.In transport mode, the data part (otherwise known as the consignment) of the IP packet is encrypted and decrypted but not the principal by both endpoint hosts. While in the tunnel mode both the data part and header of the IP packet are encrypted and decrypted between the gateways of the source computer and the destination computer.Another security measure use by VPN on data is IP Encapsulation. The VPN uses the principle of IP encapsulation to protect packets from being intercepted on the network by intruders by enclosing the actual IP packet in another IP packet having the source and destination address of the VPN gateways, therefore hiding the data being sent and the private networks IP address which does not conform to internet addressing standards.The third security measure is certificate. This is a method of identifying a user by proving that the user is actually authorized to access and use internal files. Authenticating a, host, user or a computer that uses the VPN depends on the tunneling protocol established and also encryption for added security. The tunneling protocols that are widely used for authentication over a network are IPSec, PPTP, LT2P and SSL but the most commonly used is the IPSec. The hosts using VPN establish a Security Association (SA) and authenticate one another by exchanging keys which are generated by an algorithm (mathematical formula). These keys can either be symmetric key which is a private key that are exactly the same and only known by the hosts to verify the identity element of one another or asymmetric key where each hosts has a private key that can be used to generate a public key. The sending host uses the others public key to encrypt information that can only be decrypted by the receiving host private key. The Point-to-Point Tunneling prot ocol uses the Microsoft Challenge/Response trademark communications protocol (MS-CHAP) to authenticate computers using VPN by exchanging authentication packets to one another. Also the users connecting to VPN can be authenticated by what the user knows- a password (shared secret), what the user has a intellectual card and what the user is biometrics e.g. finger prints.VPN Tunnelling ProtocolsVPNs create secure connections, called tunnels, through public shared communication infrastructures such as the Internet. These tunnels are not physical entities, but logical constructs, created using encryption, security standards, and protocols Clemente, F. et al (2005). The VPN tunnelling protocol are set of standardised rules and policy that are employed on the transmitted data. There are various standard of protocol technologies used to create a VPN tunnel and each of these protocols is peculiarly built with some unique security features. In this research work the protocols explained in this section are the most widely used.Internet Protocol Security (IPSec)The Internet Protocol Security (IPSec) has proposed in Internet Engineering Task Force (IETF) Request for Comment (RFC) database in RFC (2401), provides data packet integrity, confidentiality and authentication over IP networks. The IPSec policy consists of sets of rules that designate the traffic to be protected, the type of protection, such as authentication or confidentiality, and the required protection parameters, such as the encryption algorithm. (Jason, K. 2003, Hamed, H. et al 2005, Shue, C. et al 2005, Berger, T. 2006, Clemente, F. et al 2005, Liu, L. and Gao, W. 2007). The IPSec protocol provides security at the network layer and offers a collection of methods, protocols, algorithms and techniques to establish a secure VPN connection.There are two basic modes of IPSec connections, Transport mode and Tunnel mode. The transport mode, attaches an IPSec header to the IP header of the packet. The Tunnel mode is more flexible compared to the transport mode it encapsulates the IP packet into another IP packet, also attaching an IPSec header to the outer IP packet. This mode protects the entire IP packet. The IPSec modes, are determined and agreed on by both corporate networks at each end of the VPN connection, are contained in the Security Association(SA) among other things. The SA is a set of policy and keys used to protect information such as the IPSec modes, symmetric ciphers, and keys which are used during secure data transmission.The IPSec uses two main protocols that are usually used with any of the modes, the Authentication Header (AH), and Encapsulating Security Payload (second sight). The authentication header contains a Security Parameter Index(SPI) and provides data authentication and integrity (MD5 or SHA-1 hash) on the whole IP packet but does not guarantee privacy (confidentiality) on the data. clairvoyance guarantees privacy (confidentiality) on the data in addition t o all the features AH provides. The ESP header includes an initialization field, which is used by symmetric block ciphers (Berger, T. 2006). Another essential protocol that IPSec uses in establishing the VPN tunnel is the Internet Key Exchange protocol (IKE). This protocol exchanges encryption keys and shares authentication data (RFC 2409) through UDP packets at port 500, and also relies on the Internet security association and key management protocol(ISAKMP) this protocol allows both endpoints share a public key and authenticate themselves with digital certificates (RFC 2408). To create a VPN tunnel using the IPSec protocol, two things needs to be done. First, both networks need to agree on the SA for the IKE and this is done by using the Diffie Hellman key exchange method to authenticate one another. After this is done, both network endpoints need to set the parameters for the VPN tunnel including symmetric cipher keys (and key expiry information), security policy, network route s, and other connection-relevant information.Point-to-Point Tunneling Protocol (PPTP)Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks (Microsoft TechNet, 2008). PPTP operates at social class 2 of the OSI model. PPTP, as specified in the RFC 2637 document, is a protocol that describes a means for carrying Point-to-Point protocol ( palatopharyngoplasty) described in RFC 1661 over an IP based network. It is created by a vendor consortium known as the PPTP industry forum which includes Microsoft Corporation, Ascend Communications, 3Com/Primary Access, ECI Telematics, US Robotics and Copper masses Networks. PPTP is the most commonly used protocol for dial-up access to the internet. Microsoft included PPTP support in Windows NT Server (version 4) and released a Dial-up Networking pack in Windows 95 and since then PPTP is supported in any Microsoft Windows version.The PPTP transfers two different types of packets over a VPN connection. The first is the Generic Routing Encapsulation (GRE) (described in RFC 1701 and RFC 1702) packet. It encapsulates palatopharyngoplasty frames as tunneled data by attaching a GRE header to the uvulopalatopharyngoplasty packet or frame. The PPP frame contains the initial PPP payload which is encrypted and encapsulated with PPP while the GRE header contains various control bits, sequence and tunnel numbers. The function of the GRE is to provide a flow- and congestion-control encapsulated datagram service for carrying PPP packets. The total sum up of the packet consists of a Data link header, IP header, GRE Header, PPP Header, Encrypted PPP payload and Data link trailer. The second type of packet is the PPTP control message or packet. The PPTP control packet includes control information such as connection requests and responses, connection parameters, a nd error messages and it consists of IP header, TCP header, PPTP control message and a data link trailer. In order to create, maintain and terminate the VPN tunnel, the PPTP uses a control connection between the remote client and the server using the TCP port 1723. This two different packets used by PPTP does not ensure privacy on the packet payload, so in order to enhance security on these packets, the PPTP supports encryption and authentication method same as used in PPP connections (Berger, T, 2006 and vpntools.com, 2006). To authenticate packets that pass through the VPN tunnel, PPTP uses any of the hobby protocols Extensible Authentication protocol Transport horizontal surface Security (EAP-TLS), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), Shiva Password Authentication protocol (SPAP) and Password Authentication Protocol (PAP). For encryption, PPTP uses either the Microsoft Point to Point Encryption (MPPE) to encrypt PPP packets that passes between the r emote computer and the remote access server by enhancing the confidentiality of PPP encapsulated packets (as described in RCF 3078) or uses the symmetric RC4 stream cipher to encrypt the GRE payload is encrypted.Layer 2 Tunneling Protocol (L2TP)The L2TP is an IETF standard established as a result of combining the best features of two protocols Ciscos Layer 2 Forwarding (L2F) protocol (described in RFC 2341) and Microsofts PPTP (Cisco Systems, 2008). L2TP facilitates the tunneling of PPP frames across an intervening network in a way that is as transparent as possible to both end-users and applications (RFC 2661). L2TP encapsulates the PPP packet (whose payload can either be encrypted or compressed or both can be done) into a User Datagram Protocol (UDP) packet at transport layer. The L2TP can be used over the internet as well as over private intranet and also can send PPP packets over X.25, Frame relay or ATM networks. The UDP packet consists of the following in this order UDP header with source and destination address using port 1701, control bits representing options like version and length of the packet, sequence number and tunnel ID fields which is used to track the packet and identify the tunnel, the layer 2 frame which contains the following also Media Access Code (MAC) addresses and the payload. To ensure security and enhance authenticity of the L2TP packet it is combined with IPSec by attaching an IPSec ESP header, using the IPSec transport mode. After combining IPSec to L2TP, the UDP packet is encrypted and encapsulated with an IPSec ESP header and trailer and ESP authentication trailer. The L2TP packet now consists the following data link header, IP Header, IPSec ESP Header, UDP header, L2TP frame, IPSec ESP trailer, IPSec ESP Authentication trailer and Data Link trailer, resulting in excessive protocol overhead (Berger, T, 2006 and vpntools.com, 2006).Secure Socket Layer (SSL)Multiprotocol Label SwitchingLiterature ReviewVPN Protocol OverheadThe tunn eling protocols also affect the implementation of the network by adding processing overhead on the VPN connection. Implementing these secure technologies on any insecure public network like the internet comes with some weaknesses and this can be as a result of either the specific standards are not sophisticated enough to provide secure, stable and fast data links, or fundamental interaction with lower levelled protocols causes serious problems (Berger, T., 2006).For example the IPSec technology employs three kinds of protocols namely AH, ESP and IKE in order to ensure security over the public network, this in turn adds overhead on the packet being sent. The IPSec uses two modes for transferring packets transport and tunneling mode. The tunneling mode is the widely used because the tunnel can be used to access several resources and it encapsulate and encrypts all part of the IP packet within another IP packet. In a research paper by Shue, C. Et al (2005), an analysis was carried out in order to evaluate the performance of the overhead associated with IPSec on VPN servers, and the tunneling mode was used. The tunneling mode uses different technologies to ensure added security on the packet it uses two different kinds of protocols namely ESP and IKE and various encryption algorithm and cryptographic key sizes, by so doing doubling the size of the packet. It is reported that overheads of the IKE protocol are considerably higher than those incurred by ESP for processing a data packet, also cryptographic operations contribute 32 60% of the overheads for IKE and 34 55% for ESP, and lastly, digital signature generation and Diffie-Hellman computations are the largest contributor of overheads during the IKE process and only a small quantity of the overheads can be attributed to the symmetric key encryption and hashing.Also the layer 2 Tunneling Protocol (L2TP) implemented on the VPN connection originally does not cause any overhead since encryption, authentication a nd privacy mechanism is not used on the data packet. But when this protocol is combined with IPSec, it adds all the aforementioned mechanism on the packet and makes it very secure but this comes with added problems protocol overhead, among other things. In this case both the IPSec and L2TP headers are added to the data packet which increases the size of the packet and by so doing, it decreases the VPN performance. (Berger, T., 2006)The Internet, the Problem.There are some articles and journals that clearly argues that VPN does not directly incur processing overhead on the network instead the internet affects the performance. According to an article that was posted on the internet by VPN Consultants in San Francisco Bay Area on FAQ on Security, it was argued that most performance slowdowns will in fact result from inconsistent Internet connections quite a than by encryption processing overhead.Also, according to Liu, L. and Gao, W. (2007), explains that IPv4 ( this is an internet p rotocol that is widely deployed) based networks have subjective deficiencies which have become obstacles to the evolution of networks. They argue that VPNs implemented on the network i.e. the internet automatically inherits some of these problems, such as, big overhead of the net-transport, lack of quality assurance of Service (QoS), NAT traversing problem, and so on. They propose that VPNs implemented on IPv6 (Internet Protocol version 6), which is known as the next generation protocol can cultivate this problems effectively.Packet LossA VPN tunnel can sometimes suffer high packet personnel casualty and reordering of packets problems. Reordering can cause problems for some bridged protocols, and high pack