Virtual Private Network real time scenario implementation for Sun Infosys... EE249 Network Project Preparation

Download Report

Transcript Virtual Private Network real time scenario implementation for Sun Infosys... EE249 Network Project Preparation

Virtual Private Network real time scenario implementation for Sun Infosys Ltd.
EE249 Network Project Preparation
Rashid Yunus Khan
ID: 03020935
Email: [email protected]
Supervisor: Prof Algirdas Pakstas
Supervisor Email: [email protected]
Computing, Communications Technology and Mathematics
London Metropolitan University
166-220 Holloway Road
London
N7 8DB
Content:
•
1) Abstract
•
2) Introduction – Motivation & Background
•
3) Project Aims & Objectives
•
4) Work done by others
•
5) Possible Methods of Achieving the Objectives
•
6) Literature Search
•
7) Project Plan & Charts
•
8) Conclusions
•
9) List of References
1. Abstract:
This project will provide an introduction, research, theory, analysis,
solutions & real time implementation and study of Virtual Private
Networking for Sun Infosys Ltd. It also will provide a structure of
content of this document. It will consist of various concepts, theories
and main terminology to understand and implement a Virtual Private
Network.
Chapter 2 (Introduction) Chapter 3 (Project Aims & Objectives) will
show the aims and objectives of the project.
Chapter 4 (Work done by others)
Chapter 5 (Possible Methods of Achieving the Objectives)
In Chapter 6 & 7 (Literature Search, Project Plan & Charts)
In Chapter 8 (Conclusions)
In Chapter 9 ( List of References)
2. Introduction:
This documentation is a project proposal by myself, a final year undergraduate
student in BSc Hons. in Computer Networking. The chosen topic for this project is
real time Virtual Private Networking implementation for Sun InfoSys Ltd.
The motivation behind this project for me is not only to enhance my knowledge of a
complex but very rewarding and currently hot technology of Virtual Private
Networking for an existing company called Sun InfoSys Ltd. but to actually
implement this project in that company. This can bear fruit for me in the form of
possible future job prospect in this company.
Also In this project, I will also be developing an online website covering this report that
will be available with this documentation and will publish the web address within the
conclusion of this report.
Previously I actually have worked for several years as a Network Engineer in Pakistan
for several companies and actually have designed, implemented and trouble-shooted
complex networks.
I have also worked as a web developer and developed several websites for clients in
Pakistan. Clearly I have great interest in the field of Networking and this is the sole
reason for me taking up this degree to further my knowledge and career within this
field.
3. Project Aims & Objectives
Sun Infosys Ltd. has a business of not only computer hardware but software and
CCTV systems as well. Because of the varied systems there was a need for
convergence and also availability so that the resources can be tapped and checked
from virtually everywhere as the sales team and director is mostly mobile. This
need coupled with the popularity of VPN systems gave me a chance to offer myself
for this project and offer a solution to their problems. Sun Infosys Ltd. gladly accepted
my offer.
The aims and objectives of this project is that to make proposals that will allow me to
investigate the best method and solution of implementing a Virtual Private Network
for Sun InfoSys Ltd. between its Head Office, Branch office and to provide
connectivity to its Managing Director, Sales team various Installers and Site
Engineers requiring access to various resources.
The sales team need to commute to various organizations to give presentations and
also to convince potential clients, they frequently require on the move connections to
resources such as sales figures, Sage, presentations, Technical Data and live
demos and IP Based demonstrations if their digital CCTV systems.
The Support team and various installers and engineers require on the move access to
technical resources, software, patches, and contact information from the company &
Sage and when visiting client locations varied anywhere in London currently.
After analyzing this company’s needs and objectives I have genuinely come to think that
Virtual Private Networking possibly might offer the solution this company so
desperately needs.
key topics for research for Virtual Private Networking:
1.1
What is VPN?
1.2
What Makes a VPN?
1.3
Types of VPN
1.4
Remote-Access VPN
1.5
Site-to-Site VPN
1.6
Extranet VPN
1.7
VPN Security
1.8
Firewalls
1.9
Encryption
1.10
IPSec
1.11
AAA Servers
1.12
VPN Technologies
1.13
VPN Concentrator
1.14
VPN-Optimized Router
1.15
Cisco Secure PIX Firewall
1.16
Tunnelling
1.17
Carrier protocol
1.18
Encapsulating protocol
1.19
Passenger protocol
1.20
Tunneling: Site-to-Site
1.21
Tunnelling: Remote-Access
1.22
L2F (Layer 2 Forwarding)
1.23
PPTP (Point-to-Point Tunneling Protocol)
1.24
L2TP (Layer 2 Tunneling Protocol)
1.25
MPLS
Work Done By others
1. PPTP – Point to Point Tunnelling
Protocol
2. L2F – Layer 2 Forwarding
3. L2TP – Layer 2 Tunnelling Protocol
4. IPSec – IP Security Protocol
Possible methods of achieving the Objectives:
When I analyzed the problem I saw two problems instead of one! First convergence and second being remote
availability. However these are two separate problems but they can actually be addressed by just one solution.
Virtual Private Networking!
Virtual Private Networking offers scalability, remote availability and eventually offers convergence as well. How does
VPN offer convergence? You might ask? Well let’s take Sun Infosys Ltd’s Scenario. They have CCTV systems
which are currently offline systems, PC hardware assembling and sales. By leveraging VPN the offline CCTV
systems can be linked to the internet and intranet eventually and effectively making the CCTV systems ONLINE
system, the PC assembling department has to go through various procedures such as hardware procurement,
supplier chain management, stock, sales, dispatch, returns, technical support and marketing. All these aspects
can be brought together via a single either online system or networked system in both cases VPN again is the
answer bridging the gap.
1. Hardware Based Solutions:
For hardware based solutions, various tools and devices are available by a number of vendors, these include Cisco as
the foremost mentioned, Sonicwall, Shiva etc. The list is endless. These are VPN enabled / pass through routers,
VPN Concentrators, VPN Optimized Routers, VPN Firewalls etc.
2. Software Based Solutions:
For software based solutions there are numerous products in the market each catering to all the needs of any kind of
scenario. The good side about software based solutions is that they are very much customizable and upgradeable,
scaleable. The bad point is that they are prone to fallouts, attacks, viruses, and performance issues.
Software based solutions are best offered by the software giant Microsoft, Then Symantec, Check point software, Cisco
and many others.
3. Protocol Selection
When talking about protocol selection for a VPN implementation I have to take into account Sun InfoSys Ltd’s existing
infrastructure, scale of the company, the costs and budget.
Keeping in view of the above factors Sun InfoSys is a small to medium sized organizarion and in my view the best
protocol to go for would be IPSec, with IPSec to IPSec implementation, given its various qualities which is
discussed and researched further in the proposal.
When talking about software based solutions a point to note is that they are all platform dependent. Hence they can
incur overhead costs and expensive expertise to pay for installation and or management.
What is VPN?
A VPN is a generic term that describes any combination of technologies that can be used
to secure a connection through an otherwise unsecured or untrusted network.
Cisco Definition:
http://www.cisco.com/warp/public/779/largeent/design/vpn.html
[ VPN is one of the most used words in networking today and has many different
meanings.
The broadest definition of a VPN is 'any network built upon a public network and
partitioned for use by individual customers'. This results in public frame relay, X.25,
and ATM networks being considered as VPNs. These types of VPNs are generically
referred to a Layer 2 VPNs. The emerging form of VPNs are networks constructed
across shared IP backbones, referred to as 'IP VPNs'. ]
My Definition:
Basically a VPN is a private network that uses a public network (usually the
Internet) to connect remote sites or users together. Instead of using a
dedicated, real-world connection such as leased line, a VPN uses "virtual"
connections routed through the Internet from the company's private network to
the remote site or employee.
What Makes a VPN?
A well-designed VPN can greatly benefit a company. For
example, it can:
•
•
•
•
•
•
•
•
•
•
Extend geographic connectivity
Improve security
Reduce operational costs versus traditional WAN
Reduce transit time and transportation costs for remote
users
Improve productivity
Simplify network topology
Provide global networking opportunities
Provide telecommuter support
Provide broadband networking compatibility
Provide faster ROI (return on investment) than traditional
WAN
A well-designed VPN should have the following features:
It should incorporate:
·
Security
·
Reliability
·
Scalability
·
Network management
·
Policy management
Types of VPN:
1) Remote-Access VPN
2) Site-to-Site VPN
3) Extranet VPNs
Remote-Access VPN
Cisco Definition:
http://www.cisco.com/warp/public/779/largeent/design/remote_vpn.html
[ Remote Access VPNs provide remote access to a corporate Intranet or
extranet over a shared infrastructure with the same policies as a private
network. Access VPNs enable users to access corporate resources
whenever, wherever, and however they require. Access VPNs encompass
analog, dial, ISDN, digital subscriber line (DSL), mobile IP, and cable
technologies to securely connect mobile users, telecommuters, or branch
offices. ]
Remote-Access VPN
My Definition:
Remote-access, also called a virtual private dial-up network (VPDN), is a userto-LAN connection used by a company that has employees who need to
connect to the private network from various remote locations. Normally, a
company that wishes to set up a large remote-access VPN will outsource to
an enterprise service provider (ESP). The ESP sets up a network access
server (NAS) and provides the remote users with desktop client software for
their computers. The telecommuters can then dial a Low Call or Free
number (0800, 0500 etc) to reach the NAS and use their VPN client
software to access the corporate network.
Site-to-Site VPN
Cisco Definition:
http://www.cisco.com/warp/public/779/largeent/design/intranet_vpn.html
[ Site-to-Site VPNs are an alternative WAN infrastructure that used to connect
branch offices, home offices, or business partners' sites to all or portions of
a company's network. VPNs do not inherently change private WAN
requirements, such as support for multiple protocols, high reliability, and
extensive scalability, but instead meet these requirements more costeffectively and with greater flexibility. ]
A company can connect multiple fixed sites over a public network such as the
Internet through the use of dedicated equipment and large-scale encryption.
Site-to-site VPNs can be one of two types:
Intranet-based - If a company has one or more remote locations that they wish
to join in a single private network, they can create an intranet VPN to
connect LAN to LAN.
Extranet-based - When a company has a close relationship with another
company (for example, a partner, supplier or customer), they can build an
extranet VPN that connects LAN to LAN, and that allows all of the various
companies to work in a shared environment.
•
•
•
Extranet VPN
Cisco Definition:
http://www.cisco.com/warp/public/779/largeent/des
ign/extranet_vpn.html
[ Extranet VPNs link customers, suppliers,
partners, or communities of interest to a
corporate Intranet over a shared infrastructure
using dedicated connections. Businesses enjoy
the same policies as a private network, including
security, QoS, manageability, and reliability. ]
* See reference section for resource detail.
VPN Security:
A well-designed VPN uses several methods
for keeping your connection and data
secure:
1)
Firewalls
2)
Encryption
3)
IPSec
4)
AAA Server
1) Firewalls:
[ (fīr´wâl) (n.) A system designed to prevent unauthorized access to or from a private
network. Firewalls can be implemented in both hardware and software, or a
combination of both. Firewalls are frequently used to prevent unauthorized Internet
users from accessing private networks connected to the Internet, especially intranets.
All messages entering or leaving the intranet pass through the firewall, which
examines each message and blocks those that do not meet the specified security
criteria. ]
Packet filter: Looks at each packet entering or leaving the network and accepts or
rejects it based on user-defined rules. Packet filtering is fairly effective and
transparent to users, but it is difficult to configure. In addition, it is susceptible to IP
spoofing.
Application gateway: Applies security mechanisms to specific applications, such as FTP
and Telnet servers. This is very effective, but can impose performance degradation.
Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is
established. Once the connection has been made, packets can flow between the
hosts without further checking.
Proxy server: Intercepts all messages entering and leaving the network. The proxy
server effectively hides the true network addresses.
2) Encryption
Definition:
Resource: Webopedia
http://www.webopedia.com/TERM/e/encryption.html
[ The translation of data into a secret code. Encryption is the most
effective way to achieve data security. To read an encrypted file, you
must have access to a secret key or password that enables you to
decrypt it. Unencrypted data is called plain text ; encrypted data is
referred to as cipher text. ]
My Definition:
Encryption is the process of taking all the data that one computer is
sending to another and encoding it into a form that only the other
computer will be able to decode. Most computer encryption systems
belong in one of two categories:
Symmetric-key encryption
Public-key encryption
In symmetric-key encryption, each computer has a secret key (code) that it
can use to encrypt a packet of information before it is sent over the network
to another computer. One should know that which computers will be talking
to each other so the key can be installed on each computer. Symmetric-key
encryption is essentially the same as a secret code that each of the two
computers must know in order to decode the information. The code
provides the key to decoding the message. This can be further understood
by a simple example: you create a coded message to send to a friend in
which each letter is substituted with the letter that is two down from it in the
alphabet. So "A" becomes "C," and "B" becomes "D". You have already told
a trusted friend that the code is "Shift by 2". Your friend gets the message
and decodes it. Anyone else who sees the message will see only nonsense.
Public-key encryption uses a combination of a private key and a public key.
The private key is known only to our computer, while the public key is given
by our computer to any computer that wants to communicate securely with
it. To decode an encrypted message, a computer must use the public key,
provided by the originating computer, and its own private key. A very popular
public-key encryption utility is called Pretty Good Privacy (PGP), which
allows to encrypt almost anything.
3) IPSec
Definition:
[ Short for IP Security, a set of protocols developed by the IETF to support
secure exchange of packets at the IP layer. IPsec has been deployed widely
to implement Virtual Private Networks (VPNs). ]
My Definition:
Internet Protocol Security Protocol (IPSec) provides enhanced security features
such as better encryption algorithms and more comprehensive
authentication.
IPSec has two encryption modes: tunnel and transport. Tunnel encrypts the
header and the payload of each packet while transport only encrypts the
payload. Only systems that are IPSec compliant can take advantage of this
protocol. Also, all devices must use a common key and the firewalls of each
network must have very similar security policies set up. IPSec can encrypt
data between various devices, such as:
• ·
Router to router
• ·
Firewall to router
• ·
PC to router
• ·
PC to server
4) AAA Servers
Definition:
Resource: Webopedia
http://www.webopedia.com/TERM/A/AAA.html
[ Short for authentication, authorization and accounting, a system in IPbased networking to control what computer resources users have
access to and to keep track of the activity of users over a network. ]
My Definition:
AAA (authentication, authorization and accounting) servers are used for
more secure access in a remote-access VPN environment. When a
request to establish a session comes in from a dial-up client, the
request is proxied to the AAA server. AAA then checks the following:
·
·
·
Who you are (authentication)
What you are allowed to do (authorization)
What you actually do (accounting)
VPN Technologies
Depending on the type of VPN (remote-access or site-tosite), certain components will need to be put in place to
build the VPN. These might include:
·
·
Desktop software client for each remote user
Dedicated hardware such as a VPN concentrator or
secure PIX firewall
·
Dedicated VPN server for dial-up services
·
NAS (network access server) used by service
provider for remote-user VPN access
·
VPN network and policy-management center
Because there is no widely accepted standard for
implementing a VPN, many companies have developed
turn-key solutions on their own.
VPN Concentrator
Incorporating the most advanced encryption and authentication techniques available,
Cisco VPN concentrators are built specifically for creating a remote-access VPN.
They provide high availability, high performance and scalability and include
components, called scalable encryption processing (SEP) modules, which enable
users to easily increase capacity and throughput. The concentrators are offered in
models suitable for everything from small businesses with up to 100 remote-access
users to large organizations with up to 10,000 simultaneous remote users.
VPN-Optimized Router
Cisco's VPN-optimized routers provide scalability, routing, security and QoS (quality of
service). Based on the Cisco IOS (Internet Operating System) software, there is a
router suitable for every situation, from small-office/home-office (SOHO) access
through central-site VPN aggregation, to large-scale enterprise needs.
Cisco Secure PIX Firewall
Cisco PIX Firewall is a really technology, the PIX (private Internet exchange) firewall
combines dynamic network address translation, proxy server, packet filtration, firewall
and VPN capabilities in a single piece of hardware.
Instead of using Cisco IOS, this device has a highly streamlined OS that trades the ability
to handle a variety of protocols for extreme robustness and performance by focusing
on IP.
Tunnelling
[ (tun´&l-ing) (n.) A technology that enables one network to send its data via another
network's connections. Tunneling works by encapsulating a network protocol within
packets carried by the second network. For example, Microsoft's PPTP technology
enables organizations to use the Internet to transmit data across a VPN. It does this
by embedding its own network protocol within the TCP/IP packets carried by the
Internet. ]
My Definition:
Most VPNs rely on tunneling to create a private network that reaches across the Internet.
Essentially, tunneling is the process of placing an entire packet within another packet
and sending it over a network. The protocol of the outer packet is understood by the
network and both points, called tunnel interfaces, where the packet enters and exits
the network.
• Carrier protocol - The protocol used by the network that the information is traveling
over
• Encapsulating protocol - The protocol (GRE, IPSec, L2F, PPTP, L2TP) that is
wrapped around the original data
• Passenger protocol -The original data (IPX, NetBeui, IP) being carried
To explain and simplify the process of Tunneling I will give an example: It’s like having a
Mobile phone delivered by Royal Mail. The Mobile Phone Company packs the Mobile
Phone (passenger protocol) into a box (encapsulating protocol) which is then put on a
Royal Mail delivery truck (carrier protocol) at the Mobile Phone Company’s
warehouse (entry tunnel interface). The truck (carrier protocol) travels over the
Motorways (Internet) to customer’s home (exit tunnel interface) and delivers the
Mobile Phone. The customer opens the box (encapsulating protocol) and removes
the Mobile Phone (passenger protocol). That’s called Tunneling. Simple!
Tunneling has several nice uses for VPNs. For example, a packet that uses a
protocol not supported on the Internet (such as NetBeui) can be placed
inside an IP packet and sent safely over the Internet. Or a packet that uses
a private (non-routable) IP address can be put inside a packet that uses a
globally unique IP address to extend a private network over the Internet.
Tunneling: Site-to-Site
In a site-to-site VPN, GRE (generic routing encapsulation) is normally the
encapsulating protocol that provides the framework for how to package the
passenger protocol for transport over the carrier protocol, which is typically
IP-based. This includes information on what type of packet is being
encapsulated and information about the connection between the client and
server. Instead of GRE, IPSec in tunnel mode is sometimes used as the
encapsulating protocol. IPSec works well on both remote-access and siteto-site VPNs. IPSec must be supported at both tunnel interfaces to use.
Tunnelling: Remote-Access
In a remote-access VPN, tunneling normally takes place using PPP. Part of the
TCP/IP stack, PPP is the carrier for other IP protocols when communicating
over the network between the host computer and a remote system.
Remote-access VPN tunneling relies on PPP.
Each of the protocols listed below were built using the basic structure of PPP and are used by remote-access
VPNs.
L2F (Layer 2 Forwarding)
[ Often abbreviated as L2F, a tunneling protocol developed by Cisco Systems. L2F is similar to the PPTP protocol
developed by Microsoft, enabling organizations to set up virtual private networks (VPNs) that use the Internet
backbone to move packets. ]
Developed by Cisco, L2F will use any authentication scheme supported by PPP.
PPTP (Point-to-Point Tunneling Protocol)
[ Short for Point-to-Point Tunneling Protocol, a new technology for creating Virtual Private Networks (VPNs) , developed
jointly by Microsoft Corporation, U.S. Robotics, and several remote access vendor companies, known collectively
as the PPTP Forum. A VPN is a private network of computers that uses the public Internet to connect some
nodes. Because the Internet is essentially an open network, the Point-to-Point Tunneling Protocol (PPTP) is used
to ensure that messages transmitted from one VPN node to another are secure. With PPTP, users can dial in to
their corporate network via the Internet. ]
PPTP was created by the PPTP Forum, a consortium which includes US Robotics, Microsoft, 3COM, Ascend and ECI
Telematics. PPTP supports 40-bit and 128-bit encryption and will use any authentication scheme supported by
PPP.
L2TP (Layer 2 Tunneling Protocol)
[ Short for Layer Two (2) Tunneling Protocol, an extension to the PPP protocol that enables ISPs to operate Virtual
Private Networks (VPNs). L2TP merges the best features of two other tunneling protocols: PPTP from Microsoft
and L2F from Cisco Systems. Like PPTP, L2TP requires that the ISP's routers support the protocol. ]
L2TP is the product of a partnership between the members of the PPTP Forum, Cisco and the IETF (Internet
Engineering Task Force). Combining features of both PPTP and L2F, L2TP also fully supports IPSec.
L2TP can be used as a tunneling protocol for site-to-site VPNs as well as remote-access VPNs. In fact, L2TP can
create a tunnel between:
·
Client and router
·
NAS and router
·
Router and router
What is MPLS?
MPLS stands for "Multiprotocol Label Switching". In an MPLS network,
incoming packets are assigned a "label" by a "label edge router
(LER)". Packets are forwarded along a "label switch path (LSP)" where
each "label switch router (LSR)" makes forwarding decisions based
solely on the contents of the label. At each hop, the LSR strips off the
existing label and applies a new label which tells the next hop how to
forward the packet.
Label Switch Paths (LSPs) are established by network operators for a variety of
purposes, such as to guarantee a certain level of performance, to route
around network congestion, or to create IP tunnels for network-based virtual
private networks. In many ways, LSPs are no different than circuit-switched
paths in ATM or Frame Relay networks, except that they are not dependent
on a particular Layer 2 technology.
An LSP can be established that crosses multiple Layer 2 transports such as
ATM, Frame Relay or Ethernet. Thus, one of the true promises of MPLS is
the ability to create end-to-end circuits, with specific performance
characteristics, across any type of transport medium, eliminating the need
for overlay networks or Layer 2 only control mechanisms.
Project Plan and charts:
1)
2)
3)
4)
Performance needs of the remote applications
IP Address Planning
ISP Evaluation
Planning Firewall Policy Changes (if VPN Server is behind
firewall)
5)
Remote VPN Implementation Issues
6)
Remote Branch Office Considerations
7)
Using Microsoft Networking with Remote VPN
8)
ISP Evaluation
9)
Integration into the Corporate Network
10) Performance Considerations
11) Project time frame
12) Beta testing
13) Final rollout
14) Project Windup
Conclusions:
After meeting With Mr. Andy the managing director, with sales, support
and technicians and visiting both head office and branch office,
taking inventory of existing hardware, computer systems, software
inventory, budget time frame required. I have come to conclude that
not only will this company benefit enormously with a Virtual Private
Network but also already have the infrastructure in place. They
already have Windows Server 2003 installed and configured and
really its just a matter of installing Microsoft’s ISA server 2004 and
using it to its full potential. Of course they will require VPN pass
through router upgrades, higher bandwidth to the VPN server,
broadband infrastructure improvements, IP address schemes, VPN
client software and Staff training. All of this can be easily achieved
as the company staff is highly technical and the company already is
a computer hardware vendor so hardware procurement should not
be a major issue. I am sure I will be able to install and implement
this project well before time.