4 vpn s
TRANSCRIPT
NETWORLD+INTEROP 98 Tokyo Internet Roaming, Workshop W8751
Virtual Private Virtual Private Networks (VPNs)Networks (VPNs)
Tunneling, VPNs and Roaming
NETWORLD+INTEROP 98 Tokyo Internet Roaming, Workshop W8752
Defining Some TermsDefining Some Terms
Intranet
Internal corporate
applications using Web
and Internet technology
Intranet
Internal corporate
applications using Web
and Internet technology
ExtranetExtends an Intranet to
include customers,
suppliers and partners
ExtranetExtends an Intranet to
include customers,
suppliers and partners
Remote AccessUses the Internet to link
telecommuters and
mobile workers to the
company Intranet
Remote AccessUses the Internet to link
telecommuters and
mobile workers to the
company Intranet
NETWORLD+INTEROP 98 Tokyo Internet Roaming, Workshop W8753
Tunneling DefinedTunneling Defined
Creating a transparent virtual network link between two network nodes that is unaffected by physical network links and devices.
NETWORLD+INTEROP 98 Tokyo Internet Roaming, Workshop W8754
Tunneling ExplainedTunneling Explained
Tunneling is encapsulating one protocol in another
Tunnels provide routable transport for unroutable packets encrypted, illegal addressing, non-supported
Tunneling itself provides no security
NETWORLD+INTEROP 98 Tokyo Internet Roaming, Workshop W8755
One way to One way to communicate…communicate…
Router CSU/DSU
LA
N
LA
N
Firewall
LA
N
Web SitesLos AngelesHQ
New York
Boston
CSU/DSU
Router
Firewall
CSU/DSURouter
PSTN
Remote AccessServer
Internet
CSU/DSU
Firewall
Remote AccessServer
NETWORLD+INTEROP 98 Tokyo Internet Roaming, Workshop W8756
Another view of network Another view of network possibilities... possibilities...
A Virtual Private NetworkA Virtual Private Network
InternetRouter VSU-1000 CSU/DSU
LA
N
LA
N
Firewall
LA
N
Web SitesLos Angeles
New York
Boston
Remote Clients(VPNremote)
CSU/DSU
VSU-1000
Router
Firewall
CSU/DSU
VSU-1000Router
VPNmanager
VSU-1000
NETWORLD+INTEROP 98 Tokyo Internet Roaming, Workshop W8757
Tunneling IllustratedTunneling Illustrated
Router A
Workstation X
Router BWorkstation
Y
Original IPpacket dest Y
Step 1.Original, unroutable
IP Packet sent to router
Step 2Original IP
packetencapsulatedin another IP
packetOriginal IP
packetNew IPPacket
Tunnel
Step 3Original packetextracted, sentto destination
Original IPpacket dest Y
Tunnel
NETWORLD+INTEROP 98 Tokyo Internet Roaming, Workshop W8758
Types of TunnelsTypes of Tunnels(with thanks to Bernard Aboba)(with thanks to Bernard Aboba)
Two basic types of tunnels Voluntary tunnels
Tunneling initiated by the end-user
(Requires client software on remote computer)
Compulsory tunnels
Tunnel is created by NAS or router
(Tunneling support required on NAS or Router)
NETWORLD+INTEROP 98 Tokyo Internet Roaming, Workshop W8759
Voluntary TunnelsVoluntary Tunnels Will work with any network device
Tunneling transparent to leaf and intermediate devices
But user must have a tunneling client compatible with tunnel server PPTP, L2TP, L2F, IPSEC, IP-IP, etc.
Simultaneous access to Intranet (via tunnel) and Internet possible Employees can use personal accounts for
corporate access Remote office applications
Dial-up VPN’s for low traffic volumes
NETWORLD+INTEROP 98 Tokyo Internet Roaming, Workshop W87510
A Voluntary L2TP TunnelA Voluntary L2TP Tunnel
D i a l I P A c c e s s
P P P a c c e s s p r o t o c o l
D i a l A c c e s s P r o v i d e rV P N S e r v i c e
D i a l A c c e s s
S e r v e r
P P T P A c c e s s
S e r v e rC l i e n t H o s t
S e r i a l I n t e r f a c e
P P T P V i r t u a l I n t e r f a c e
NETWORLD+INTEROP 98 Tokyo Internet Roaming, Workshop W87511
Compulsory TunnelsCompulsory Tunnels
Will work with any client But NAS must support same tunnel
methodBut… Tunneling transparent to intermediate routers
Network access controlled by tunnel server User traffic can only travel through tunnel Internet access possible
Must be by pre-defined facilities Greater control Can be monitored
NETWORLD+INTEROP 98 Tokyo Internet Roaming, Workshop W87512
Compulsory TunnelsCompulsory Tunnels
Static Tunnels All calls from a given NAS/Router tunneled to a
given server
Realm-based tunnels Each tunnel based on information in NAI
(I.e. user@realm)
User-based tunnels Calls tunneled based on userID data stored in
authentication system
NETWORLD+INTEROP 98 Tokyo Internet Roaming, Workshop W87513
A Compulsory L2TP A Compulsory L2TP TunnelTunnel
NETWORLD+INTEROP 98 Tokyo Internet Roaming, Workshop W87514
RADIUS Support for RADIUS Support for TunnelsTunnels
Can define tunnel type Can define/limit tunnel end points Allows tunnel configuration to be based
on Calling-Station-ID or Called-Station-ID
Additional accounting information Tunnel end points Tunnel ID, etc.
NETWORLD+INTEROP 98 Tokyo Internet Roaming, Workshop W87515
RADIUS Dial Up RADIUS Dial Up SecuritySecurity
Remote User
User Login
Private Network
Authenticates dial in users at boundary of private network
RADIUS Protocol
Boundary
Hacker
RADIUSServer
RAS
NETWORLD+INTEROP 98 Tokyo Internet Roaming, Workshop W87516
Protocol ComparisonProtocol Comparison
PPTP L2TP IPSEC
Authenticated Tunnels X X
Compression X X X
Smart Cards X X
Address Allocation X X
Multiprotocol X X
Encryption X
Flow Control X
Requires Server X X
NETWORLD+INTEROP 98 Tokyo Internet Roaming, Workshop W87517
Layer 2 Tunneling Layer 2 Tunneling Protocol (L2TP)Protocol (L2TP)
Mobile Employee
Shared Dial Network
L2TPTunnel
Private Network
LAC
TelecommuterLAC
LNS
RADIUS
L2TP Access Concentrator(LAC) tunnels PPP frames in IP
PPP
L2TP Network Server de-tunnels PPP, authenticates via RADIUS and performs address assignment