Virtual Private Networks (VPNs) P. Serdaris, V. Zacharaki, S. Papanikolaou, A. Daios, G. Oreopoulos Technological Educational Institute of Western Macedonia, Kozani, Greece

Abstract The purpose of this article is to investigate how big companies have developed. The way they connect and communicate with their branches using VPN (Virtual Private Network) is considered. How connection and communication with the branches works is studied. This connection must provide the company security in data transfer, speed, communication quality and the most important saving. This solution is the Virtual Privet Network (VPN).

Keywords: Virtual private network, remote access, tunneling needs of their employees to communicate, several companies start to create their own Virtual Private Network, VPN in order to adjust the needs of their remote employees and offices. The definition of Virtual Private Network is: A Virtual Private Network (VPN) extends a private network across a public network, such as the Internet, in order to communicate with other sites or remote networks. Instead of using the real connection, like leased line, VPN uses virtual connections routed by the network, from the private network of company to remote site or employee. Virtual Private Networks (VPNs) is a way to connect remote points of the company, probably the associate and in some cases the suppliers and the clients, so that they can operate private, faster, cheaper and more effectively. There are many technologies implementation of Virtual Private Networks. All of them have their advantages and disadvantages. The thing that they have in common is the interconnection of two or more points using as an infrastructure a network of public use, in a way that the security of information from outsiders is guaranteed. As we can see the phrase Virtual Private Network is composed by terms of virtual, private, network. We can see below the meaning of these terms. Virtual: The term virtual means that something is not real. This term has given because unlike the straight lines where using permanent connection between points, the connection is created only for the required time for the transaction of the operation and

Definition of Virtual Private Network (VPN) and its characteristics The globalization of market and the technological developments have forced many companies to change the way they work. Most companies want to expand to other geographical areas beyond their headquarters [1-3]. These companies need to maintain branches in many areas of their country and even the outer; they need to have employees who travel, and also to share their data to their clients and suppliers. Until quite recently this has as a result to use leased lines with the aim to create WAN (wide area network). These leased lines had bandwidth from simple ISDN (Integrated Services Digital Network, 128 Kbps) to OC3 (Optical Carrier-3, 155 Mbps) and with these the companies could expand their private network beyond a small geographical area. The WAN has advantages comparing to the public network, like the Internet, regarding the efficiency, safety, reliability and performance. But the cost of having WAN is extremely high, especially when using leased lines, which gradually increases by the distance of the offices. As a result the cost of this subsistence was extremely high, and the network overloaded and the problem of abruption and notfunctioning of the branches if something happens in the headquarters, always exist. When the publicity of the internet started growing up the companies wanted to achieve faster, safer and reliable communication between their offices wherever these exist. With the aim to fulfill the 1

1168

then it is interrupted leaving the network and the equipment free for another use. More over this term means logic and not physical structure for example the LANs. The network is existed, altered and amended depending from the point and the time when the connection by using external equipment (the ISP) and not necessarily the company itself. Private: The term private means that a personal private connection is created between two points even though a common telephone network is used or other data are transferred. Furthermore it means security and protection from interception because all the data is confidential. Network: A network is consisted of two or more device which can be freely and electronically to communicate one another via cable or wireless. A VPN is a network. It can transfer data beyond large distance effectively and efficiently. A VPN could be safely used among the different types of networks such as Extranet and this ability is exactly the most used nowadays. A VPN can be used with connections from 9.6 Kbps to 2 Mbps, and with the use of leased line, or simple telephone network, depending on the demand of the use. VPN is subcategory of intelligent network. And with this term refer to the architecture of platform consisting of software and hardware, which gives “intelligence” in the telecommunication networks. In this way it is possible very easy, fast and cheaper to develop new telecommunications services depending on the needs of the telecommunication market. The access can be via selected telephone network PSTN and ISDN.

and called etc.)  Restriction - Call Filter (screening features). You can authorize the restrictions under which will be managed by the system calls (intercept outgoing – incoming calls, determining closed user groups etc.)  Great flexibility in billing services (flexible billing)  The service charge can be made to the caller or the called, or both, according to the zones determined, depending on the service and the client  .Rapid development and provision services according to the requirements of the client.  Planning new services depending on the demands of the market.  For the provision of services is not required additional equipment.

Main points of VPNs The networks operate either as layer-2 or layer-3 of the OSI standard (Open Systems Interconnection). The layer-2 VPN use the layer-2 frame like Ethernet while the layer-3 uses packages of layer-3 like IP [4]. The layer-3 VPN starts at layer-3, which rejects the incoming frame layer-2 and produces a new frame layer-2 to destination. Two of the most common used protocols for the establishment of layer-2 VPN via Internet is: layer-2 tunneling protocol (L2TP) and point-to-point tunneling protocol (PPTP). Also a relatively recent protocol, named Multiprotocol Label Switching (MPLS) is used exclusively in layer-3 VPNs.

Characteristics of Intelligent Network  Great flexibility in routing traffic (flexible routing). Calls can be routed to their destination (in telephone numbers, recorded messages, answering machine etc.) depending on the parameters we specify (date, time, area caller

2 1169

Figure 1. Topology VPN to the network. The Network Access Server is provided by the company Enterprise Service Provider ESP, which installs the software for the access of employees at NAS. Then telecommuters can call, via telephone, a number free of charge, in order to communicate with the Network Access Server (NAS) and then by using the software of virtual private network that is granted to them (VPN client software) they can have access to the corporate network.

There are two main prevalent types of Virtual Private Network: • Remote – Access: Also called virtual private dial-up network [VPDN]. This consists of a connection from the user to the local network, which is used by a company which the employees is needed to connect with a private network from two different remote locations. For the creation of Dial-up VPN is needed a Network Access Server NAS through which the members of the company will have access

Figure 2. Remote Access VPN 3 1170

VPNs are about the connection of offices and branches of a company. The point here is for a central managing of the infrastructure of a company, in order to allow the remote points in using the infrastructure (logistics, deposit, human resource, payment software or other specific applications) straight through the central offices of the company. The functionality that is succeeded is obvious: all offices and branches of the company are connected with its central offices, have immediate and spontaneous access on data which are of their interest and the company is informed automatically for every move of its peripheral offices and branches. Here intercompany telephony, allowing communication with all those points through inside calls.

A good example for a company that needs a remote-access VPN would be a big firm with hundreds of sellers in an area. Remote-Access VPNs allow a safe encrypted connection between a company’s private network and the remote users, through a network service provider [5].  Site-to-Site: Using exclusively dedicated equipment and high degree of coding, a company can connect multiple fixed pages on a public network, like the internet. The connection of the employees will be achieved again through specific software and equipment, while for data safety will be used encryption, like the one that is recommended in common sites. Site-to-Site VPN is separated in two categories based on the type it can be: a) Intranet-Based: If a company has one or more locations that would like to connect in only one private network, then a VPN based on intranet can be created, so it will connect a local network with the other (LAN to LAN). Intranet

Figure 3. Intranet VPN

environment. In that care the virtual private network extends to partners, customers, suppliers, dealer network etc. The functionality is the same, except for the more extensive graded access of each VPN member to the companies’ resources according to the rights the company desires to assign. Telephony among

b) Extranet Based: When a company has a close relationship with another one it can build a Virtual Private Network based on extranet to become a LAN to LAN connection. This allows all the companies that will create an extranet VPN among them to share the same virtual 4

1171

companies through VPN applies here also, offering zero costs for the communication through companies that participate in the private network.

Figure 4. Extranet VPN

By using the appropriate equipment is possible to:  LAN interconnections.  Online applications (UNIX, IBM etc).  Client Server Applications.  Interconnection ASCLL terminals in host.  Remote PC access.

Any of the forms of VPN we meet, the use principle remains the same. Every remote member of a company, through the internet can communicate with the private network of the company safety and reliability. Like a simple LAN, a VPN can grow a lot easily, in order to serve more employees, this fact is a major advantage of VPN. A VPN can expand and grow in other locations, without a large cost, unlike a leased line, where the cost is higher as the distance grows. c) Access VPNs: Access VPNs are about the connection of isolates in the corporate network, from their home or from a trip (known as VPDNs, Virtual Private Dialup Networks). With Access VPNs it is possible for a business executive to have complete access in the company network, the same as if he was in his office inside the company, but this time from his house or from a trip. He can even use intercompany telephony through his/her personal computer. Uses:

VPN use 

Networks interconnection through the Internet There are two methods of interconnecting local networks via the Internet [6]: The use of leased lines for connecting a branch with a local company network. Instead of using an expensive leased line between the two connection points, the branch and the company network (the network router) can use one leased line with the local ISP. VPN software uses the connections with the ISP to create a Virtual Private Network, as it was above. 5 1172

The use of dial up connection of a branch in a local company network. Same with the remote access user, the branch uses dial up connection to the Internet and the company network a leased line.  PC interconnection through the Internet In some intercompany networks data of some sections are so “sensible” that networks of these are not physically connected with the company network. Even though with this method soma data are protected, there are accessibility problems in useful information. VPNs allow sections’ networks to be connected in physical layer with the company network and with mediation of a VPN server. The VPN server is not a router between the two networks because the router should allow their connection with easy access of every user in sensible data. With the use of VPN the network’s administrator can be sure that only those users who have the appropriate rights can access these data. E.g. the general direction of a company would not like all its users to have access in payment catalogues of its employers for obvious reasons.



The advantages of VPNs are summarized as follows: 





Low Cost: Leased lines T1 (1.5 Mbps) and T3 (45 Mbps) have a large monthly fee and charge based on the distance of the connected points and also there are more money needed for every Permanent Virtual Circuit (PVC) that is created. Especially in the case that the distance is great the cost is prohibitive. On the contrary lines with the same speed in local Internet Provider (ISP) cost less or can be avoided as the interconnection can be achieved from everywhere with a simple connection and all the advantages of the above. Flexibility: In traditional networks there should be compatible equipment that supports all the peripheral offices or remote branches. In VPNs there are no limits or compatibility problems because simply one connection with an ISP is enough for communication. Scalability: a) Use of the Internet as mean of transmission offers unlimited geographical extension. Very easy form every place in the world and anytime customers, suppliers or people of the company are connected with each other. b) These connections are easily



upgradable depending on the requirements without obliged upgrade of the equipment in every point as only the type of the ISP connection changes. Security: One of the most important aspects for the operation of a VPN is its security. VPNs provide enhanced security because of the tunneling and security protocols that are used. To maintain security during the users’ access to the VPN, known means are used, such as Firewalls and data encryption, as well as other means, such as the IPSec protocol and AAA Servers. The IPSec protocol [Internet Protocol Security] provides advanced security methods, such as for example better encryption algorithms and user authentication that is easier to use. Only the systems that support the IPSec protocol can take advantage of its functions, while the use of common firewalls and network security settings is also required. The IPSec protocol can encrypt data between different terminals. Finally, the AAA Servers are servers that provide additional protection during employees’ connection to a VPN. Once a user connects to a VPN to open a session, a “request” is created, which controls: who the user is (Authentication), what access he/she has (Authorization) and finally what makes functions he/she performs (Accounting). All of the above are analyzed below. Management: Easy and centralized network management since IP addressing, user access policies, security and other related tasks are controlled from a single point.

Basic VPN requirements Usually, when a company installs a VPN, controlled user access is necessary. Specifically, it is very important that each user has access only to the information that he/she is authorized and it is also very important in case of remote access to guarantee the security of data handled through the Internet.For the above reasons a VPN must at least provide the following [7]: User Authentication. The solution, which each firm will choose, should check the user’s identity and restrict the VPN access to authorized persons only. It 6 1173

should also check and record who, when and to what information he/she had access. Address Management. There should be matching (from the VPN server) of the client’s address to a local network and the confidentiality of this address should be ensured. Data Encryption. The data that will be sent over the public network (Internet) should not be readable by third parties. Key Management. There should be the possibility of generating and renewing the encryption keys for the client and the server. Multiprotocol Support. The common protocols that are used on Internet, such as the IP Internet Packet Exchange (IPX), etc., should be supported. A VPN solution that is based on the Point-toPoint Tunneling Protocol (PPTP) or the Layer 2 Tunneling Protocol (L2TP) fulfills all the above and exploits the broad capabilities of Internet.

packets that are allowed to enter the LAN, even to determine which will be the permitted protocols. There should be a good firewall installed before a Virtual Private Network (VPN) comes into operation. A firewall can also be used to terminate a period of a Virtual Private Network. Even the simplest form of VPN always has Firewall. AAA Server – The AAA servers (authentication, authorization and accounting) are used for even securer access to a remote VPN environment. When a client request to create a new session is received via telephone, the request goes from a proxy to the AAA server. The AAA immediately afterwards performs the following check:  Identity (authentication)  Rights (authorization)  Real actions (accounting) The information on the real actions of the user of an AAA is very useful especially for recording the operations/actions of the client for control, billing and for pedagogical reasons as well. Code hiding (Encryption) – With this process we get all the data that a computer sends to another, coding them into a form that only the other computer will be able to decode. The most Code Hiding Systems for Computers (computer encryption systems) belong to one of the following two categories:  Symmetric-key encryption  Public-key encryption

VPN Security The most important aspect in a VPN is security. This is accomplished by known means such as Firewalls, data encryption, the IPsec protocol (Internet Protocol Security), check of the user’s authenticity (authentication). The active equipment encrypts the outbound traffic in such a way that only the recipient of the information can decrypt it. Of course, as is common with the encryption methods, there are various security levels, which alter the cost of each solution. In the IP environment two such encryption protocols, the GRE and the IPSec are used. The GRE provides adequate security within a controlled environment, where there is trust in the owner of the network, while the IPSec is used to offer the maximum possible security in cases of financial institutions, brokerage firms, and generally in cases where the transferred information is highly sensitive. Both methods offer besides encryption, authentication of the identity of the parties involved in a VPN (whether they are local networks or individual users), fidelity in data transfer and protection of the local networks from malicious attacks. Firewalls – The firewall is an important security guard between the private network and the Internet. The firewalls can be configured so as to limit the number of open ports, to determine the kind of

In the Symmetric-key encryption, each computer has a secret key (code) which can be used to conceal an information packet before it is sent over the network to another computer. The Symmetric-key presupposes that there is knowledge about which computers will “interact” so that you will be able to install the key to each one. The Symmetric-key data concealment is usually like a hidden code that both computers should be aware of, in order to be able to decode the information. The code provides the key for decoding the message. It is like creating an encoded message to be sent to a friend, in which each letter is replaced with the letter that is found two positions prior in the alphabet. So “A” becomes “C”, and “B” becomes “D”, and so on. Of course we have informed our friend on how to decode the message. So when received the message is received, 7 1174

it can be read. For the rest, the content of the message is not understandable. The Public-key encryption uses a combination of the private key and the public key. The private key is now known only to our computer, since the public key is given from our computer to each computer that wants to communicate securely with it. To decode an encoded, hidden message, a computer must use the public key, which is provided by the computer that created it, as well as by its own private key. A very popular application of the publickey encryption is called Pretty Good Privacy (PGP), which allows you to encode almost everything. The basic structural elements of a Virtual Private Network are: • Tunneling: Is the process that achieves the creation of “tunnels” for the transfer of “packets” of data via Internet. • Security: The security that is required for the protection during the transfer of such data due to the specificity of this environment. • Certification that the data comes from the source they claim, • Access only to authorized users, • Confidence that no one reads or copies data and • Integrity and non-alteration of data during its transfer. Security services are now offered at all levels of the OSI model such as at the upper ones, application and session, as well as at the lower ones, network and data-link.

encompasses the entire above mentioned process (encapsulation, transfer and removal of headers). The newest tunneling technologies are the ones below: Point-to Point Tunneling Protocol (PPTP). PPTP allows the IP, IPX, or NetBEUI to be encrypted and afterwards to be wrapped in an IP header so as to be sent through a corporate Internet or through the public Internet IP, the Internet. Layer 2 Tunneling Protocol (L2TP). L2TP allows the IP, IPX, or NetBEUI to be encrypted and then to be sent through whichever medium that supports point-to-point datagram delivery, such as the IP, X.25, Frame Relay, and ATM. IP Security (IPSec) Tunnel Mode. IPSec Tunnel Mode allows the IP payloads to be encoded and then to be wrapped by an IP header so as to be sent through a corporate Internet or through the public IP Internet, the Internet.

Tunneling implementation For the technologies of Layer 2 such as the PPTP and L2TP, the process is the following one: Both ends of the tunnel must negotiate for the configuration of the parameters (configuration variables) such as encryption and compression parameters. In most cases, the data being transferred through the tunnel use datagram-based protocols. The technologies of Layer 3 consider that these configurations of the parameters were made in a nonautomatic way [8]. When the tunnel is installed, data can be sent. The sender (client or server) uses a data transfer protocol. E.g. when the client (e.g. a company’s branch) sends a payload to the server, the client must add a data transfer protocol. The client then sends the payload that is encapsulated in the additional data, routing it to the server. The server then accepts the packets and removes the additional data keeping only the useful data (payloads).

Basic Principles of Tunneling Tunneling is a method of using the network infrastructure to transfer data from one network to another. The data to be transferred (or else payload) may be in frames or packets of a different protocol. Instead of sending the packets or frames as they have been created, tunneling “encapsulates” the packets in an additional header. This additional header provides routing information. These packets travel in a logical path called tunnel through the internet. When the packets reach their destination, then the additional headers are removed. The term tunneling

VPNs in Greece There are already several companies in Greece that connect their branches using VPN. This, of course, presupposes the implementation of Extranet in a previous phase. The majority of the ISPs in our country provide VPN implementations as well. 8 1175

the services on demand. During the distribution of the Internet resources, the checking of the resources can be performed independently or it can be performed by the agents who have some knowledge of organization priorities and of the policies that must be followed.

VPN cost A VPN is a solution that answers to specific needs of your business and thus its implementation cost depends on the needs it is required to cover. More specifically, it depends on: 1. The number of points that will compose it. 2. The connection capacity (bandwidth) of the points. 3. The voice channels that it will support (concurrent calls). 4. The Internet access speed that will be selected. 5. The number of remote users that will have access through telephone connections. 6. The assignment of priorities in application sharing. 7. The telecommunication costs (which do not concern Hellas On Line e.g. ΟΤΕ) for the connection of the points to the nearest Hellas On Line point of presence.

Conclusions At this point, the study of the technologies, which are used by the modern companies for communicating with other networks and their branches, has been completed. The objective of all the above is the speediest processes handling, the best coordination of the activities and of course the reduction of the operating cost of a business, which is of course the most important factor for its development.

Acknowledgements The authors would like to thank Mrs. I. Pesiridi for her valuable contribution to the writing of the article.

Differentiated Services The differentiated services have recently become the recommended method to address the QoS issues in IP networks. In the DiffServ network, packets are classified before entering the network via a packet classification mechanism, and the service that a router in the network offers to a packet depends only on the packet’s class. The QoS information is brought into the zone within the packet in the Type of Service ToS of the IP inscription. An end-to-end service is received from the sequence of services perdomain and from the Service-Level Agreement SLA between the adjacent regions along the traffic path during the transition from the source to the destination. Per area, the services are carried out by improving traffic and by the simple differential dispatch mechanisms at the core of the network. To receive the differentiated services from the Internet Service Provider ISP, clients must have an SLA with their ISP. An SLA basically clarifies the services’ categories that are supported and the amount of traffic that is allowed in each category. An SLA may be Static or Dynamic: the static SLA negotiates on a regular basis such as monthly or annually, the dynamic SLA should be discussed using a signaling protocol such as RSVP to request

References [1] www.nortelnetworks.com – Network solutions company with products, services, integrated solutions, etc. [2] findvpn.com– Virtual Private Resources and Services.

Networks

[3] www.intel.com- VPN products. [4]

www.vpnet.com- Company of VPN solutions with products, integrated solutions, etc.

[5] www.wiley.com- Publishing Organization-Books for VPN and links to products, services, VPN tests, Internet Drafts and RCF pages etc. [6]

www.signal9.com- Network solutions company with products (firewalls, VPNs etc).

[7]

www.oms.co.zaproducts.

Internet

solutions,

VPNs

[8] www.lcs.mit.edu - (MIT) Massachusetts Institute of Technology's Laboratory for Computer Science (LCS) Cairin VPN.

9 1176