Search Engine

Custom Search

Monday, July 14, 2008



This paper describes the major technologies for virtual private networks (VPNs) used today on the Internet. The VPN market has changed significantly in the past ten years as the Internet has grown and as vastly more companies have come to rely on the Internet for communications.
The landscape of VPN products and services offered by a wide variety of vendors continues to evolve. This has caused companies whose networks need protection to become confused about what is and is not a VPN, and the features of the different VPN systems that are being offered to them. The descriptions and definitions in this white paper should help to reduce the confusion for VPN customers, as well as to aid VPN vendors in describing their offerings in a useful fashion.
There are three types of Virtual Private Networks:

Ø Secure Networks
Ø Trusted Networks
Ø Hybrid Networks
Requirements for VPNs

There is one very important requirement that is common to secure VPNs, trusted VPNs, and hybrid VPNs: the VPN administrator must know the extent of the VPN. Regardless of the type of VPN in use, a VPN is meant to have capabilities that the "regular" network does not. Thus, the VPN administrator must be able to know at all times what data will and will not be in the VPN.
Each of the four types of VPNs has their own additional requirements.

Secure VPN requirements

All traffic on the secure VPN must be encrypted and authenticated. Many of the protocols that are used to create secure VPNs allow the creation of VPNs that have authentication but no encryption. Although such a network is more secure than a network with no authentication, it is not a VPN because there is no privacy.
The security properties of the VPN must be agreed to by all parties in the VPN. Secure VPNs have one or more tunnels, and each tunnel has two endpoints. The administrators of the two endpoints of each tunnel must be able to agree on the security properties of the tunnel.
No one outside the VPN can affect the security properties of the VPN. It must be impossible for an attacker to change the security properties of any part of a VPN, such as to weaken the encryption or to affect which encryption keys are used.

Trusted VPN requirements

No one other than the trusted VPN provider can affect the creation or modification of a path in the VPN. The entire value of the trusted VPN is that the customer can trust that the provider to provision and control the VPN. Therefore, no one outside the realm of trust can change any part of the VPN. Note that some VPNs span more than one provider; in this case, the customer is trusting the group of providers as if they were a single provider.
No one other than the trusted VPN provider can change data, inject data, or delete data on a path in the VPN. A trusted VPN is more than just a set of paths: it is also the data that flows along those paths. Although the paths are typically shared among many customers of a provider, the path itself must be specific to the VPN and no one other than trusted provider can affect the data on that path. Such a change by an outside party would affect the characteristics of the path itself, such as the amount of traffic measured on the path.
The routing and addressing used in a trusted VPN must be established before the VPN is created. The customer must know what is expected of the customer, and what is expected of the service provider, so that they can plan for maintaining the network that they are purchasing.

Hybrid VPN requirements

The address boundaries of the secure VPN within the trusted VPN must be extremely clear. In a hybrid VPN, the secure VPN may be a subset of the trusted VPN, such as if one department in a corporation runs its own secure VPN over the corporate trusted VPN. For any given pair of address in a hybrid VPN, the VPN administrator must be able to definitively say whether or not traffic between those two addresses is part of the secure VPN.

Technologies Supported by VPNC
The following technologies support the requirements from the previous section. VPNC supports these technologies when they are implemented by users themselves and when they are implemented in provider-provisioned VPNs.

Secure VPN technologies

Ø IPsec with encryption in either tunnel or transport modes. The security associations can be set up either manually or using IKE with either certificates or preshared secrets. IPsec is described in many RFCs, including 2401, 2406, 2407, 2408, and 2409.
Ø IPsec inside of L2TP (as described in RFC 3193) has significant deployment for client-server remote access secure VPNs.
Ø SSL 3.0 or TLS with encryption. TLS is described in RFC 2246. An excellent book on SSL 3.0 and TLS is "SSL and TLS: Designing and Building Secure Systems" by Eric Rescorla (ISBN 0201615983).
Ø These technologies (other than SSL 3.0) are standardized in the IETF, and each has many vendors who have shown their products to interoperate well in the field.

Trusted VPN technologies
For trusted layer 2 VPNs include:
ATM circuits Modern service providers offer many different types of trusted VPNs. These can generally be separated into "layer 2" and "layer 3" VPNs.
Ø Technologies
Ø Frame relay circuits
Ø Transport of layer 2 frames over MPLS.
As described in draft-martini-l2circuittrans-mpls and other related Internet Drafts.

Technologies for trusted layer 3 VPNs include:
MPLS with constrained distribution of routing information through BGP, as described in draft-ietf-ppvpn-rfc2547bis and other related Internet Drafts.
Neither of the MPLS-based technologies has been standardized in the IETF, but it is widely assumed that both will become standards in the future. Also, the service provider industry has not embraced one of these technologies much more strongly than the other.

Hybrid VPN technologies
Any supported secure VPN technologies running over any supported trusted VPN technology.
It is important to note that a hybrid VPN is only secure in the parts that are based on secure VPNs. That is, adding a secure VPN to a trusted VPN does not increase the security for the entire trusted VPN, only to the part that was directly secured. The secure VPN acquires the advantages of the trusted VPN, such as having known QoS features.

VPN Protocols

The term "VPN" has taken on many different meanings in recent years. VPNC has a white paper about VPN technologies that describes many of the terms used in the VPN market today. In specific, it differentiates between secure VPNs and trusted VPNs, which are two very different technologies.
For secure VPNs, the technologies that VPNC supports are

Ø IPsec with encryption
Ø L2TP inside of IPsec
Ø SSL with encryption
For trusted VPNs, the technologies that VPNC supports are:

Ø MPLS with constrained distribution of routing information through BGP ("layer 3 VPNs")
Ø Transport of layer 2 frames over MPLS ("layer 2 VPNs")
IPsec is the most dominant protocol for secure VPNs. SSL gateways for remote-access users are also popular for secure VPNs. L2TP running under IPsec has a much smaller but significant deployment. For trusted VPNs, the market is split on the two MPLS-based protocols. Companies want to do their own routing trend to use layer 2 VPNs; companies that want to outsource their routing tend to use layer 3 VPNs.
The various VPN protocols are defined by a large number of standards and recommendations that are codified by the Internet Engineering Task Force (IETF). There are many flavors of IETF standards, recommendations, statements of common practice, and so on. Some of the protocols used in IPsec are full IETF standards; however, the others are often useful and stable enough to be treated as standard by people writing IPsec software. Neither of the trusted VPN technologies are IETF standards yet, although there is a great deal of work being done on them to get them to become standards.

Protocol listings:-

The relevant IETF Working Groups for the protocols used by secure VPNs and trusted VPNs are:

Ø Profiling Use of PKI in IPsec Working Group
Ø IKEv2 Mobility and Multihoming Working Group
Ø Transport Layer Security Working Group
Ø Layer 2 Virtual Private Networks (l2vpn) Working Group
Ø Layer 3 Virtual Private Networks (l2vpn) Working Group
Ø Pseudo Wire Emulation Edge to Edge (pwe3) Working Group
These categories are:
For secure VPNs:
Ø General IPsec
Ø ESP and AH (encryption and authentication headers)
Ø Key exchange (ISAKMP, IKE, and others)
Ø Cryptographic algorithms
Ø IPsec policy handling
Ø Remote access
For trusted VPNs:
Ø General MPLS
Ø MPLS constrained by BGP routing
Ø Transport of layer 2 frames over MPLS
Ø Virtual routers

Uses of VPNs

For Secure VPNs:
Ø Secure VPNs are particularly valuable for remote access where a user is connected to the Internet at a location not controlled by the network administrator, such as from a hotel room, airport kiosk, or home.

Ø The main reason that companies use secure VPNs is so that they can transmit sensitive information over the Internet without needing to worry about who might see it.
Ø Using a secure VPN allows the company to know that an attacker cannot alter the contents of their transmissions.
For Trusted VPNs:

Ø This allows the customer to use their own private IP addressing schemes, and possibly to handle their own routing.

Ø By changing the value of financial transactions Companies who use trusted VPNs do so because they want to know that their data is moving over a set of paths that has specified properties and is controlled by one ISP or a trusted confederation of ISPs.

For Hybrid VPNs:

Ø A typical situation for hybrid VPN deployment is when a company already has a trusted VPN in place and some parts of the company also need security over part of the VPN.

References from:
searching from the net:-

Conclusion: -

Hence we studied the different types of Virtual Private Network, which tells us that how the system makes secure from the attackers. These networks are more helpful & efficient for better networking.

No comments: