DOCSLIB.ORG

Virtual Private Networks Identifier, September 1999

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Virtual Private Networks Identifier, September 1999 VirtualVirtual PrivatePrivate NetworksNetworks Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 [email protected] Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/ Washington University in St. Louis CSE571S ©2009 Raj Jain 17-1 Overview Overview: What, When, Issues Types of VPNs: PE/CE based, L2 vs. L3 Point-to-Point Protocol (PPP) VPN Tunneling Protocols: GRE, PPTP, L2TPv3, MPLS Washington University in St. Louis CSE571S ©2009 Raj Jain 17-2 WhatWhat isis aa VPN?VPN? Private Network: Uses leased lines Virtual Private Network: Uses public Internet Internet Service Provider Washington University in St. Louis CSE571S ©2009 Raj Jain 17-3 WhenWhen toto VPN?VPN? Modest Many Bandwidth Locations QoS not Long Critical Distance More Locations, Longer Distances, Less Bandwidth/site, QoS (Quality of Service) less critical ⇒ VPN more justifiable Fewer Locations, Shorter Distances, More Bandwidth/site, QoS more critical ⇒ VPN less justifiable Washington University in St. Louis CSE571S ©2009 Raj Jain 17-4 VPNVPN DesignDesign IssuesIssues 1. Security 2. Address Translation 3. Performance: Throughput, Load balancing (round-robin DNS), fragmentation 4. Bandwidth Management: RSVP (Resource Reservation Protocol) 5. Availability: Good performance at all times 6. Scalability: Number of locations/Users 7. Interoperability: Among vendors, Internet Service Providers (ISPs), customers (for extranets) ⇒ Standards Compatibility, With firewall Washington University in St. Louis CSE571S ©2009 Raj Jain 17-5 DesignDesign IssuesIssues (Cont)(Cont) 8. Compression: Reduces bandwidth requirements 9. Manageability: SNMP (Simple Network Management Protocol), Browser based, Java based, centralized/distributed 10. Accounting, Auditing, and Alarming 11. Protocol Support: IP, non-IP (IPX) 12. Platform and O/S support: Windows, UNIX, MacOS, HP/Sun/Intel 13. Installation: Changes to desktop or backbone only 14. Legal: Exportability, Foreign Govt Restrictions, Key Management Infrastructure (KMI) initiative ⇒ Need key recovery Washington University in St. Louis CSE571S ©2009 Raj Jain 17-6 TypesTypes ofof VPNsVPNs Ends: ¾ WAN VPN: Branch offices ¾ Access VPN: Roaming Users ¾ Extranet VPNs: Suppliers and Customers Branch Office ISP Head Office Partner Telecommuter Washington University in St. Louis CSE571S ©2009 Raj Jain 17-7 TypesTypes ofof VPNsVPNs (Cont)(Cont) Payload Layer: Layer 1 (L1), Layer 2 (L2) VPN (Ethernet), L3 VPN (IP) Tunneling Protocol: MPLS (Multiprotocol Label Switching), GMPLS (Generalized MPLS), L2TPv3 (Layer 2 Tunneling Protocol version 3), PPTP (Point to Point Tunneling Protocol) Who is in charge?: Provider Edge Device (PE Based) or Customer Edge Device (CE Based) VPN Site-to-Site Access PPVPN CE Based L3 L2 L1 L3 L2 L1 MPLS Virtual VPWS VPLS IPsecL2TPv3 GRE Router PPTP Washington University in St. Louis CSE571S ©2009 Raj Jain 17-8 CECE BasedBased VPNsVPNs Customers Edge routers implement IPsec tunnels Customer Net 2 CE Customer Customer CE CE Net 1 Net 4 CE Customer Net 3 Washington University in St. Louis CSE571S ©2009 Raj Jain 17-9 PEPE BasedBased VPNsVPNs Service providers offers privacy, QoS, and Routing Customer uses standard routers Customer Net 2 CE PE Customer Customer CE PE PE CE Net 1 Net 4 PE Washington University in St. Louis CSE571S ©2009 Raj Jain 17-10 LayerLayer 11 VPNsVPNs A single fiber can carry multiple wavelengths, which can be rearranged dynamically to provide a VPN for customers. Similarly, a single SONET (Synchronous optical network) stream can be shared by multiple customers. Connectivity is at layer 1. Any layer 2 signal (Ethernet, ATM, etc) or multiple L2 signals can be carried. [RFC 4847] Can be used by carrier’s carriers PE Customer Customer CE PE PE CE Net 1 Net 2 PE Washington University in St. Louis CSE571S ©2009 Raj Jain 17-11 LayerLayer 22 VPNsVPNs Customers' Layer 2 packets are encapsulated and delivered at the other end Looks like the two ends are on the same LAN or same wire ⇒ Provides Ethernet connectivity Works for all Layer 3 protocols Virtual Private Wire Service (VPWS) Virtual Private LAN Service (VPLS) RFC4664, "Framework for L2 VPNs," Sep 2006. Provider Net Provider Net Washington University in St. Louis CSE571S ©2009 Raj Jain 17-12 LayerLayer 33 VPNVPN Provides Layer 3 connectivity Looks like the two customer routers are connected Usually designed for IP packets Provider Net Washington University in St. Louis CSE571S ©2009 Raj Jain 17-13 PPP:PPP: IntroductionIntroduction Point-to-point Protocol Originally for User-network connection Now being used for router-router connection Three Components: Data encaptulation, Link Control Protocol (LCP), Network Control Protocols (NCP) Up Opened Dead Establish Authenticate Fail Fail Success/None Down Closing Terminate Network Washington University in St. Louis CSE571S ©2009 Raj Jain 17-14 PPPPPP ProceduresProcedures Typical connection setup: ¾ Home PC Modem calls Internet Provider's router: sets up physical link ¾ PC sends series of LCP packets Select PPP (data link) parameters Authenticate ¾ PC sends series of NCP packets Select network parameters E.g., Get dynamic IP address Transfer IP packets Washington University in St. Louis CSE571S ©2009 Raj Jain 17-15 VPNVPN TunnelingTunneling ProtocolsProtocols GRE: Generic Routing Encaptulation (RFC 1701/2) PPTP: Point-to-point Tunneling Protocol L2TP: Layer 2 Tunneling protocol IPsec: Secure IP MPLS: Multiprotocol Label Switching Washington University in St. Louis CSE571S ©2009 Raj Jain 17-16 GREGRE Delivery Header GRE Header Payload Generic Routing Encaptulation (RFC 1701/1702) Generic ⇒ X over Y for any X or Y Optional Checksum, Loose/strict Source Routing, Key Key is used to authenticate the source Over IPv4, GRE packets use a protocol type of 47 Allows router visibility into application-level header Restricted to a single provider network ⇒ end-to-end Washington University in St. Louis CSE571S ©2009 Raj Jain 17-17 PPTPPPTP Network PPTP ISP Access Client Server Server PPTP Tunnel PPTP = Point-to-point Tunneling Protocol Developed jointly by Microsoft, Ascend, USR, 3Com and ECI Telematics PPTP server for NT4 and clients for NT/95/98 Washington University in St. Louis CSE571S ©2009 Raj Jain 17-18 PPTPPPTP PacketsPackets Network Private PPTP Internet Access Client Network Server Server PPP PPP Public IP IP IP Addressing GRE GRE PPP PPP PPP IP/IPX/NetBEUI IP/IPX/NetBEUI IP/IPX/NetBEUI Data Data Data Internal IP Encrypted Addressing Washington University in St. Louis CSE571S ©2009 Raj Jain 17-19 L2TPL2TP Layer 2 Tunneling Protocol L2F = Layer 2 Forwarding (From CISCO) L2TP = L2F + PPTP Combines the best features of L2F and PPTP Easy upgrade from L2F or PPTP Allows PPP frames to be sent over non-IP (Frame relay, ATM) networks also (PPTP works on IP only) Allows multiple (different QoS) tunnels between the same end-points. Better header compression. Supports flow control Washington University in St. Louis CSE571S ©2009 Raj Jain 17-20 L2TPv3L2TPv3 Provider Net Allows service providers to offer L2 VPN over IP network. L2TPv2 was for tunneling PPP over packet switched data networks (PSDN) V3 generalizes it for other protocols over PSDN ⇒ PPP specific header removed Can handle HDLC (High-Level Data Link Control), Ethernet, 802.1Q VLANs, Frame relay, packet over SONET (Synchronous Optical Network) Washington University in St. Louis CSE571S ©2009 Raj Jain 17-21 L2TPv3L2TPv3 (Cont)(Cont) Universal Transport Interface (UTI) is a pre-standard effort for transporting L2 frames. L2TPv3 extends UTI and includes it as one of many supported encapsulations. L2TPv3 has a control plane using reliable control connection for establishment, teardown and maintenance of individual sessions. RFC4667, "L2 VPN extensions for L2TP," Sept 2006 Ref: L2TPv3 FAQ, www.cisco.com/warp/public/cc/so/neso/vpn/unvpnst/ 2tpv3_qp.pdf Washington University in St. Louis CSE571S ©2009 Raj Jain 17-22 L2TPv3L2TPv3 FrameFrame FormatFormat Delivery Header L2TPv3 Header Payload 20B 12B Tunnel Identifier Tunnel Cookie 4B 8B Delivery Header: IPv4 header Payload: L2 or L3 packet Washington University in St. Louis CSE571S ©2009 Raj Jain 17-23 MultiprotocolMultiprotocol LabelLabel SwitchingSwitching (MPLS)(MPLS) PBXPBX PBXPBX 1 3 5 2 3 Allows virtual circuits in IP Networks (May 1996) Each packet has a virtual circuit number called ‘label’ Label determines the packet’s queuing and forwarding Circuits are called Label Switched Paths (LSPs) LSP’s have to be set up before use Allows traffic engineering Washington University in St. Louis CSE571S ©2009 Raj Jain 17-24 LabelLabel SwitchingSwitching ExampleExample Ethernet Header IP Header Payload Layer 2.5 Ethernet Header Label IP Header Payload 64 3 5 <64> A R1 <3> <5> R3 C B R2 <2> <5> <3> 5 3 2 Washington University in St. Louis CSE571S ©2009 Raj Jain 17-25 LabelLabel AssignmentAssignment Unsolicited: Topology driven ⇒ Routing protocols exchange labels with routing information. Many existing routing protocols are being extended: BGP, OSPF On-Demand: ⇒ Label assigned when requested, e.g., when a packet arrives ⇒ latency Label Distribution Protocol called LDP RSVP has been extended to allow label request and response Washington University in St. Louis CSE571S ©2009 Raj Jain 17-26 VPNVPN SupportSupport withwith MPLSMPLS Labels contain Class of Service (CoS), Stack Indicator (SI), and Time to Live (TTL) Label Switch/Router Private ISP R S S S S R S Unlabeled Labeled Unlabeled Packet Packet
Load more

Recommended publications
  • Your Performance Task Summary Explanation
    Lab Report: 13.3.4 Configure Remote Wipe Your Performance Your Score: 0 of 1 (0%) Pass Status: Not Passed Elapsed Time: 17 seconds Required Score: 100% Task Summary Actions you were required to perform: In Remotely wipe Maggie's iPad Explanation In this lab, your task is to assist Maggie with a remote wipe as follows: Log in to icloud.com using the following credentials: Apple ID: [email protected] Password: maggieB123 Using Find iPhone, select her iPad and erase it. Enter a phone number and message to be displayed on the iPad. Complete this lab as follows: 1. In the URL field in Chrome, enter icloud.com and press Enter. 2. Maximize the window for easier viewing. 3. In the Sign in to iCloud field, enter [email protected] and press Enter. 4. Enter maggieB123 and press Enter. 5. Select Find iPhone. 6. Select All Devices. 7. Select Maggie's iPad. 8. Select Erase iPad. 9. Select Erase. 10. In the Enter AppleID to continue field, enter [email protected] and press Enter. 11. Enter maggieB123 and press Enter. 12. In the Number field, enter a phone number of your choosing to be displayed on the iPad. 13. Click Next. 14. Enter a message of your choosing to be displayed on the iPad. 15. Click Done. 16. Click OK. Lab Report: 13.3.6 Require a Screen Saver Password Your Performance Your Score: 0 of 3 (0%) Pass Status: Not Passed Elapsed Time: 8 seconds Required Score: 100% Task Summary Actions you were required to perform: In Enable the screen saver In Enable the screen saver after 10 minutes In Show the logon screen when the computer wakes Explanation In this lab, your task is to complete the following: Enable the screen saver (you choose the screen saver type to use).
    [Show full text]
  • Ipv4 WAN (Internet) Layer 2 Tunneling Protocol (L2TP) Configuration on RV120W and RV220W
    IPv4 WAN (Internet) Layer 2 Tunneling Protocol (L2TP) Configuration on RV120W and RV220W Objectives Layer 2 Tunneling Protocol (L2TP) establishes a Virtual Private Network (VPN) that allows remote hosts to connect to one another through a secure tunnel. It does not provide any encryption or confidentiality by itself but relies on an encryption protocol that it passes within the tunnel to provide privacy. One of its biggest advantages is that it encrypts the authentication process which makes it more difficult for someone to "listen in" on your transmission to intercept and crack the data. L2TP does not only provide confidentiality but also data integrity. Data integrity is protection against modification of date between the time it left the sender and the time it reached the recipient. This document explains how to configure the IPv4 WAN (Internet) for use with Layer 2 Tunneling Protocol (L2TP) on the RV120W and RV220W. Applicable Devices • RV120W • RV220W Software Version • v1.0.4.17 IPv4 WAN (Internet) L2TP Configuration Step 1. Log in to the web configuration utility and choose Networking > WAN (Internet) > IPv4 WAN(Internet). The IPv4 WAN (Internet) page opens: Step 2. Choose L2TP from the Internet Connection Type drop-down list. Step 3. Enter the username provided from ISP in the User Name field. Step 4. Enter the password provided from ISP in the password field. Step 5. (Optional) Enter the secret pass phrase if provided by the ISP in the Secret field. Step 6. Click the desired radio button for the Connection Type: • Keep Connected — This keeps the device connected to the network for all the time.
    [Show full text]
  • Application Note
    Remote Access Serial Communications - Serial Server RFL eXmux 3500® IP Access Multiplexer The RFL eXmux 3500 is a hardened IP Access Multiplexer engineered for mission critical infrastructures that seamlessly transport voice, serial, video and Ethernet data communications over Ethernet/IP or MPLS networks. The eXmux 3500 is a Layer 2 device with an integrated managed Ethernet switch which allows the eXmux 3500 to be used either in a private network with other eXmux 3500’s or as part of a larger Ethernet/IP/MPLS network. Both fiber (using SFPs) and RJ-45 connections are available for the eXmux 3500; uplink speeds of up to a Gigabit are possible. This application note illustrates the eXmux-3500 IP access multiplexer basic remote access communications with remote devices that has serial (RS232, DB9) interface functionality using the Serial Server IU as depicted in Figure 1 below. LAN 1 LAN 2 PC-1 PC-2 IP Address=10.10.12.100 Remote Access Using Serial Server IP Address=10.10.11.100 ethernet ethernet Ethernet/IP Network P1 P5 P5 P1 SSrv Port 1 eXmux 3500-1 eXmux 3500-2 SSrv Port 2 IP address=10.10.12.12 IP Address=10.10.11.12 RS-232 comm port RS-232 comm port Figure 1…Remote Access Communication Topology Serial Server IU Implementation The Serial Server (SSrv) is an IP-based interface unit (IU) of the eXmux 3500 that supports remote communications to a serial device connected either RS-232 or RS-485/4W using either standard Telnet (Unsecured) or SSH (Secure Shell - Tunneling) IP applications.
    [Show full text]
  • Mist Teleworker ME
    MIST TELEWORKER GUIDE ​ ​ ​ ​ ​ Experience the corporate network @ home DOCUMENT OWNERS: ​ ​ ​ ​ Robert Young – [email protected] ​ Slava Dementyev – [email protected] ​ Jan Van de Laer – [email protected] ​ 1 Table of Contents Solution Overview 3 How it works 5 Configuration Steps 6 Setup Mist Edge 6 Configure and prepare the SSID 15 Enable Wired client connection via ETH1 / Module port of the AP 16 Enable Split Tunneling for the Corp SSID 17 Create a Site for Remote Office Workers 18 Claim an AP and ship it to Employee’s location 18 Troubleshooting 20 Packet Captures on the Mist Edge 23 2 Solution Overview Mist Teleworker solution leverages Mist Edge for extending a corporate network to remote office workers using an IPSEC secured L2TPv3 tunnel from a remote Mist AP. In addition, MistEdge provides an additional RadSec service to securely proxy authentication requests from remote APs to provide the same user experience as inside the office. WIth Mist Teleworker solution customers can extend their corporate WLAN to employee homes whenever they need to work remotely, providing the same level of security and access to corporate resources, while extending visibility into user network experience and streamlining IT operations even when employees are not in the office. What are the benefits of the Mist Teleworker solution with Mist Edge compared to all the other alternatives? Agility: ● Zero Touch Provisioning - no AP pre-staging required, support for flexible all home coverage with secure Mesh ● Exceptional support with minimal support - leverage Mist SLEs and Marvis Actions Security: ● Traffic Isolation - same level of traffic control as in the office.
    [Show full text]
  • GPRS Tunneling Protocol (GTP) Processing
    TECHNOLOGY BRIEF GPRS Tunneling Protocol (GTP) Processing GPRS Tunneling Protocol or GTP for short is a mechanism used exclusively in cellular SUMMARY networks to tunnel IP packets through a mobile network core. The protocol was Comprehensive discussion of GTP introduced in the late 1990s when the first generation of packetized data—known protocol and how an Accolade as General Packet Radio Services or GPRS—was adopted. GPRS is often referred to adapter can help with GTP as 2.5G because it runs over GSM (2nd Generation or 2G mobile technology). GTP deduplication has moved on from those humble beginnings and is used in an updated form in KEY POINTS both 4G (LTE) and emerging 5G cellular networks. The main benefit of GTP is that • GTP is used exclusively in mobile a user’s IP address can be decoupled from routing and related decisions within networks a mobile network core. This is what allows a cellular customer to move around • Accolade ANIC adapters can fully from base station to base station and still maintain uninterrupted connectivity parse GTP packets and offer to external networks such as the Internet. It also allows for multiple services such value added capabilities such as as VoLTE (Voice over LTE) to be provisioned on the same device. In short, GTP is a deduplication crucial tunneling protocol that is indispenable in all modern mobile networks. HOW IT WORKS Figure 1 depicts a mobile phone (referred to as “user equipment” or “UE” in the industry) accessing an Internet web server with IP address 74.125.71.104. The phone or UE is initially connected to base station #1 (referred to as an eNodeB or “eNB” in LTE) and generates a simple IP packet to access the web server.
    [Show full text]
  • Spirent Testcenter™
    DATASHEET Spirent TestCenter™ L2TPv2 / L2TPv3 Base Packages Convergence is creating a new generation of integrated network Layer 2 Tunneling Protocol (L2TP) is used to support Virtual Private Networks (VPNs) devices and services that are or as part of the delivery of services by ISPs. Spirent TestCenter L2TP Base Package much more complex than ever enables Service Providers and network equipment manufacturers to quickly validate before. Service Providers need subscriber scalability. While L2TPv2 is all about PPPoE subscriber sessions being the ability to deploy networks tunneled to domains, L2TPv3 is more about multi-protocol tunneling. L2TPv3 Base quickly that get Quality of Package provides additional security features, improved encapsulation, and the Experience (QoE) right the first ability to carry data links other than simply Point-to-Point Protocol (PPP) over an time. IP network. L2TPv3 is emerging as a core tunneling and VPN technology for next- generation networks. L2TPv3 provides the flexibility and scalability of IP with the Benefits privacy of Frame Relay and ATM. L2TPv3 will allow network services to be delivered over routed IP networks. Stability and performance of L2TP is critical to many Service • L2TP Tunnel capacity testing Providers and data services. • Session per tunnel testing Spirent can help you address this challenge with Spirent TestCenter with its innovative design. Now you can create and execute more complex test cases in less time with the • Data forwarding across all L2TP same resources—and scale tests higher while debugging problems faster. The results: tunnels lower CAPEX and OPEX, faster time to market, greater market share and higher • L2TP Tunnel stability test profitability, the ability to tunnel thousands of subscribers to thousands of tunnels with authentication and verify data forwarding and receive rates per subscriber.
    [Show full text]
  • Brocade Vyatta Network OS Data Sheet
    DATA SHEET Brocade Vyatta Network OS HIGHLIGHTS A Network Operating System for the Way Forward • Offers a proven, modern network The Brocade® Vyatta® Network OS lays the foundation for a flexible, easy- operating system that accelerates the adoption of next-generation to-use, and high-performance network services architecture capable of architectures meeting current and future network demands. The operating system was • Creates an open, programmable built from the ground up to deliver robust network functionality that can environment to enhance be deployed virtually or as an appliance, and in concert with solutions differentiation, service quality, and from a large ecosystem of vendors, to address various Software-Defined competitiveness Networking (SDN) and Network Functions Virtualization (NFV) use cases. • Supports a broad ecosystem for With the Brocade Vyatta Network OS, organizations can bridge the gap optimal customization and service between traditional and new architectures, as well as leverage existing monetization investments and maximize operational efficiencies. Moreover, they can • Simplifies and automates network compose and deploy unique, new services that will drive differentiation functions to improve time to service, increase operational efficiency, and and strengthen competitiveness. reduce costs • Delivers breakthrough performance flexibility, performance, and operational and scale to meet the needs of any A Proven, Modern Operating efficiency, helping organizations create deployment System The Brocade Vyatta Network OS new service offerings and value. Since • Provides flexible deployment options separates the control and data planes in 2012, the benefits of this operating to support a wide variety of use cases software to fit seamlessly within modern system have been proven by the Brocade SDN and NFV environments.
    [Show full text]
  • EDS3000 Device Server Command Reference EDS3008/16/32PR EDS3008/16PS
    EDS3000 Device Server Command Reference EDS3008/16/32PR EDS3008/16PS Part Number PMD-00014 Revision B December 2020 Intellectual Property © 2021 Lantronix, Inc. All rights reserved. No part of the contents of this publication may be transmitted or reproduced in any form or by any means without the written permission of Lantronix. Lantronix is a registered trademark of Lantronix, Inc. in the United States and other countries. Patented: http://patents.lantronix.com; additional patents pending. Windows is a registered trademark of Microsoft Corporation. Wi-Fi is registered trademark of Wi-Fi Alliance Corporation. All other trademarks and trade names are the property of their respective holders. Warranty For details on the Lantronix warranty policy, please go to our web site at www.lantronix.com/support/warranty. Contacts Lantronix, Inc. 7535 Irvine Center Drive Suite 100 Irvine, CA 92618, USA Toll Free: 800-526-8766 Phone: 949-453-3990 Fax: 949-453-3995 Technical Support Online: www.lantronix.com/support Sales Offices For a current list of our domestic and international sales offices, go to the Lantronix web site at www.lantronix.com/about/contact. Disclaimer All information contained herein is provided “AS IS.” Lantronix undertakes no obligation to update the information in this publication. Lantronix does not make, and specifically disclaims, all warranties of any kind (express, implied or otherwise) regarding title, non-infringement, fitness, quality, accuracy, completeness, usefulness, suitability or performance of the information provided herein. Lantronix shall have no liability whatsoever to any user for any damages, losses and causes of action (whether in contract or in tort or otherwise) in connection with the user’s access or usage of any of the information or content contained herein.
    [Show full text]
  • DESIGN ALTERNATIVES for Virtual Private Networks
    DESIGN ALTERNATIVES FOR Virtual Private Networks G.I. Papadimitriou1, M. S. Obaidat2, C. Papazoglou3 and A.S. Pomportsis4 1Department of Informatics, Aristotle University, Box 888, 54124 Thessaloniki, Greece 2Department of Computer Science, Monmouth University, W. Long Branch, NJ 07764, USA 3Department of Informatics, Aristotle University, Box 888, 54124 Thessaloniki, Greece 4Department of Informatics, Aristotle University, Box 888, 54124 Thessaloniki, Greece Keywords. Virtual private networks (VPNs), PPTP, L2TP, IPSec, tunneling, encryption, SSL, QoS Abstract. Virtual private networks (VPNs) are becoming more and more important for all kinds of businesses with a wide spectrum of applications and configurations. This paper presents the basic concepts related to VPNs. These include the different types of VPN services, namely Intranet, Extranet and Remote Access VPNs. The concept of tunneling, which is fundamental in VPNs, is discussed in great detail. The tunneling protocols that are employed by VPNs, such as PPTP, L2TP and IPSec are also presented. Furthermore, the issue of Quality of Service, QoS, support in VPN configurations is briefly addressed. 1 Introduction The best way to come up with a definition of the term Virtual Private Network (VPN) is to analyze each word separately. Having done that, Ferguson and Huston (1998) came up with the following definition: A VPN is a communications environment in which access is controlled to permit peer connections only within a defined community of interest, and is constructed through some form of partitioning of a common underlying communications medium, where this underlying communications medium provides services to the network on a non-exclusive basis. Ferguson and Huston also provided a simpler and less formal description.
    [Show full text]
  • Firewalls and Vpns
    Firewalls and VPNs Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 [email protected] Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-17/ Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 23-1 Overview 1. What is a Firewall? 2. Types of Firewalls 3. Proxy Servers 4. Firewall Location and Configuration 5. Virtual Private Networks These slides are based on Lawrie Brown’s slides supplied with William Stalling’s th book “Cryptography and Network Security: Principles and Practice,” 7 Ed, 2017. Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 23-2 What is a Firewall? Interconnects networks with differing trust Only authorized traffic is allowed Auditing and controlling access Can implement alarms for abnormal behavior Provides network address translation (NAT) and usage monitoring Implements VPNs Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 23-3 Firewall Limitations Cannot protect from attacks bypassing it E.g., sneaker net, utility modems, trusted organisations, trusted services (e.g., SSL/SSH) Cannot protect against internal threats E.g., disgruntled or colluding employees Cannot protect against access via Wireless LAN If improperly secured against external use, e.g., personal hot spots Cannot protect against malware imported via laptops, PDAs, and storage infected outside Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 23-4 Firewalls – Packet Filters Examine each IP packet (no context) and permit or deny according to rules Washington University in St.
    [Show full text]
  • Brocade Vyatta Network OS LAN Interfaces Configuration Guide, 5.2R1
    CONFIGURATION GUIDE Brocade Vyatta Network OS LAN Interfaces Configuration Guide, 5.2R1 Supporting Brocade 5600 vRouter, VNF Platform, and Distributed Services Platform 53-1004724-01 24 October 2016 © 2016, Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, and MyBrocade are registered trademarks of Brocade Communications Systems, Inc., in the United States and in other countries. Other brands, product names, or service names mentioned of Brocade Communications Systems, Inc. are listed at www.brocade.com/en/legal/ brocade-Legal-intellectual-property/brocade-legal-trademarks.html. Other marks may belong to third parties. Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government. The authors and Brocade Communications Systems, Inc. assume no liability or responsibility to any person or entity with respect to the accuracy of this document or any loss, cost, liability, or damages arising from the information contained herein or the computer programs that accompany it. The product described by this document may contain open source software covered by the GNU General Public License or other open source license agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit http://www.brocade.com/support/oscd.
    [Show full text]
  • What Is a Virtual Private Network?
    C H A P T E R 1 What Is a Virtual Private Network? A virtual private network (VPN) allows the provisioning of private network services for an organization or organizations over a public or shared infrastructure such as the Internet or service provider backbone network. The shared service provider backbone network is known as the VPN backbone and is used to transport traffic for multiple VPNs, as well as possibly non-VPN traffic. VPNs provisioned using technologies such as Frame Relay and Asynchronous Transfer Mode (ATM) virtual circuits (VC) have been available for a long time, but over the past few years IP and IP/Multiprotocol Label Switching (MPLS)-based VPNs have become more and more popular. This book focuses on describing the deployment of IP- and IP/MPLS-based VPNs. The large number of terms used to categorize and describe the functionality of VPNs has led to a great deal of confusion about what exactly VPNs are and what they can do. The sections that follow cover VPN devices, protocols, technologies, as well as VPN categories and models. VPN Devices Before describing the various VPN technologies and models, it is useful to first describe the various customer and provider network devices that are relevant to the discussion. Devices in the customer network fall into one of two categories: • Customer (C) devices—C devices are simply devices such as routers and switches located within the customer network. These devices do not have direct connectivity to the service provider network. C devices are not aware of the VPN. • Customer Edge (CE) devices—CE devices, as the name suggests, are located at the edge of the customer network and connect to the provider network (via Provider Edge [PE] devices).
    [Show full text]