|
Home
>Technology > Full Story
The
VPN advantage
Want
to deploy a VPN for your organization? Here is all you ever
wanted to know about VPNs the benefits, security, management,
et al
The
cost of management and upkeep of the VPN setup compared to
owning and operating a private network infrastructure is drastically
reduced
Virtual
Private Network (VPN) is a network deployed using public shared
infrastructure while adhering to the policies of a private
network. Examples of this kind of networks would be traditional
X.25, Frame Relay, ATM, IP technologies based network
and so on. VPNs do not inherently change WAN requirements
such as support for multiple protocols, high reliability,
and extensive scalability, but instead meet these requirements
more cost effectively. A VPN can utilize the most pervasive
transport technologies available today: the public ISP, IP
backbones, as well as shared Frame Relay and ATM networks.
Why
VPNs?
VPNs
offer many advantages over traditional leased line networks.
Some of the primary benefits are:
Lower
cost than private networks
Elements
of cost reduction include transport media, bandwidth, backbone
equipment, and operations. According to industry research, site-to-site
connectivity costs are typically reduced by 20-40 percent over
domestic leased line networks. Cost reduction for client to
site dial access is even greater, in the 60-80 percent range.
More
flexible and scalable network architecture
Enabling
enterprises to more easily and cost effectively communicate
with remote offices, international locations, telecommuters,
roaming mobile users, and external partners as business requirements
demand.
Reduced
management onus
The
cost of management and upkeep of the network setup compared
to owning and operating a private network infrastructure is
drastically reduced. Enterprises may outsource some or all of
their wide area networking functions to a service provider.
This enables enterprises to focus on core business objectives,
instead of managing a WAN or dial access network.
Apart
from providing these cost related advantages, VPNs also help
increase the productivity and improve working conditions for
the enterprises.
Elements
of a VPN
VPN
solutions vary based on the breadth of features offered. A VPN
platform must be secure from intrusion and tampering, deliver
real time mission-critical data in a reliable and timely manner.
At the same time it must be manageable across the enterprise.
Unless each of these requirements is addressed, the VPN solution
is incomplete.
The
essential elements of a VPN
can be segmented into four broad categories:
Security:
Tunneling, encryption, packet authentication, user authentication,
and access control. The infrastructure should be capable of
handling, reporting various security threats, hacking attacks.
Quality
of Service (QoS): Queuing, network congestion avoidance,
traffic shaping, and packet classification. These components
are important for providing reliable and timely delivery of
enterprise data. Also, they help define the Service Level Agreement
(SLA) for various enterprise VPNs across the SP backbone.
Management:
Enforcing
security and QoS policies across the VPN. Once the SLA and security
policies have been defined, the monitoring, reporting and management
tools for the VPN have to be defined and implemented.
Scalability:
Ability to adapt the VPN to meet changing bandwidth and connectivity
needs. Moving forward based on the reporting and proactive monitoring
of the VPN, the SP and the enterprise need to assess the VPN
and plan for the scalability and future traffic and network
growth.
Implementing
these VPN components does not necessarily require replacement
of existing WAN infrastructure. However, it does call for "VPN-capable"
platforms. For example, for implementing a security component,
the networking infrastructure should be capable of supporting
some kind of security mechanisms such as IPSec etc.
Lets
discuss about these different elements of a VPN in detail.
Security
Deploying
WANs on a shared network makes security issues a prime concern.
Enterprises need to be assured that their VPNs are secure from
perpetrators observing or tampering with confidential data passing
over the network and from unauthorized users gaining access
to network resources and proprietary information. Techniques
such as encryption, authentication, and access control guard
against these security breaches.
There
are 4 key components of VPN security.
-
Tunnels and Encryption
-
Packet Authentication
-
Firewalls and Intrusion Detection
-
User Authentication
These
mechanisms complement each other, providing security at different
points throughout the network. VPN solutions must offer each
of these security features to be considered a viable solution
for utilizing a public network infrastructure.
Tunnels
and Encryption: VPNs employ encrypted tunnels to protect data
from being intercepted and viewed by unauthorized entities and
to perform multi-protocol encapsulation, if necessary. Tunnels
provide logical, point-to-point connections across a connectionless
IP network, enabling application of advanced security features
in a connectionless environment.
Encryption
is applied to the tunneled connection to scramble data, thus
making data legible only to authorized senders and receivers.
In applications where security is less of a concern, tunnels
can be employed without encryption to provide multi-protocol
support without privacy.
Different
technologies that VPNs employ today are IPSec, Layer 2 Tunneling
Protocol (L2TP), Layer 2 Forwarding (L2F), and Generic Routing
Encapsulation (GRE) for tunnel support, as well as the strongest
standard encryption technologies available, DES, and 3DES. Furthermore,
for managing security and encryption administration, VPNs should
support major certificate authority vendors, such as Verisign,
Entrust, Netscape and so on.
Packet
Authentication: While intercepting and viewing data on a
shared network is the primary security concern for enterprises,
data integrity is also an issue. On an unsecured network, packets
can be intercepted by a perpetrator, the contents changed, then
forwarded on to their destination with erroneous information.
This
kind of attack is also known as MiddleMan attack. For example,
an intruder can modify an order placed to a supplier over an
unsecured network, by, lets say, changing the order quantity
from 10,000 to 10. Packet authentication protects against such
tampering by applying headers to the IP packet to ensure its
integrity. Components of IPSec, authentication header (AH) and
Encapsulation Security Protocol (ESP), are employed in conjunction
with industry standard hashing algorithms such as MD-5 and Secure
Hash Algorithm (SHA) to ensure data integrity of packets transmitted
over a shared IP backbone. Firewalls and Intrusion Detection:
A critical part of an overall security solution is a network
firewall that monitors traffic crossing network perimeters and
imposes restrictions according to security
policy. In a VPN application, firewalls protect enterprise networks
from unauthorized access to computing resources and network
attacks, such as denial of service.
Furthermore,
for authorized traffic, a VPN firewall verifies the source of
the traffic and prescribes what access privileges users are
permitted. An added element of insurance in perimeter security
is intrusion detection. While firewalls permit/deny traffic
based on source, destination, port and other criteria, they
do not actually analyze traffic.
Intrusion
Detection Systems (IDS) operate in conjunction with firewalls
to extend perimeter security to the packet payload level by
analyzing the content and context of individual packets to determine
if the traffic is authorized. If a network's data stream experiences
unauthorized activity, IDS automatically applies real time security
policy, such as disconnecting the offending session, implementing
access control lists on the fly to avoid similar attacks in
future and notifies a network administrator of the incident.
User Authentication: A key component of VPN security is making
sure authorized users get access to the required enterprise
computing resources, while unauthorized users are blocked off
the network entirely. VPN solutions are built around authentication,
authorization, and accounting (AAA) capabilities that provide
the foundation to authenticate users, determine access levels,
and archive all the necessary audit and accounting data. Such
capabilities are paramount in dial up access and extranet applications
of VPNs. Most of the remote dial up access VPN solutions support
RADIUS and TACACS+ user authentication platforms.
Managing
Throughput: Quality of Service (QoS)
QoS
is an essential component for efficient use of precious WAN
bandwidth and ensuring reliable throughput of important data.
The erupt nature of network traffic characteristically makes
poor use of network bandwidth by sending too many packets into
the network at once or congesting network bottlenecks. The result
is two-fold:
-
WAN links are under-utilized a majority of the time, letting
expensive bandwidth lie dormant.
-
Network congestion during peak times constrains throughput
of delay-sensitive and/or mission-critical traffic.
QoS
determines the network's ability
to assign resources to mission- critical
or real-time applications such as voice/video, while limiting
resources committed to low priority traffic. QoS solves the
fundamental issues of predictable performance and policy implementation
for applications running on a VPN. Policies are used to assign
network resources to specific users, applications, project
groups, or servers in a prioritized way. QoS consists of following
components with respect to Layer 2 and Layer 3 VPNs:
-
Packet Classification assigns packet priority based on enterprise
network policy.
-
Committed Access Rate (CAR) guarantees minimum throughput
levels
to specific applications and/or
users based on enterprise network policy.
-
Weighted Fair Queuing (WFQ) allocates packet throughput
based on packet priority.
-
Weighted Random Early Detection (WRED) complements TCP in
predicting and managing network congestion on the VPN backbone,
ensuring predictable throughput rates.
-
Multi-Protocol Label Switching (MPLS) ensures continuity
of packet priority across Layer 2 and Layer 3 VPNs.
These
QoS mechanisms complement each other, working together in different
parts of the VPN to create a comprehensive end-to-end QoS solution.
QoS solutions must be integrated across all parts of the VPN
to be effective; single point solutions
cannot
ensure predictable performance. These QoS mechanisms are must
for both service providers as well as enterprises to implement
and monitor SLAs.
Operating
the VPN: Network Management
VPNs
integrate multiple security and QoS services in addition to
the network devices themselves. Enterprises need to seamlessly
manage these devices and features across the VPN infrastructure,
including remote access and extranet users. Given these issues,
network management becomes a major consideration in a VPN environment.
A VPN WAN architecture, however, allows network managers the
opportunity to outsource many aspects of network management.
Unlike in a private network architecture, a VPN enables enterprises
to define what level of network control they need to retain
in-house, while outsourcing less sensitive functions to service
providers.
Many
companies choose to retain full control over deployment and
daily operation of their VPN, and thus require a comprehensive,
policy-based management system. Such a system extends the existing
management
framework to encompass
WAN management functions unique to VPNs.
As
the WAN is extended with VPN
technology, a strict set of business
requirements must be met
for the enterprise network manager
to be successful. These requirements include:
-
Minimizing Risk: Moving from a dedicated infrastructure
to a shared infrastructure that utilizes WAN transport mediums,
such as the public Internet, present the network manager
with new security and auditing challenges. Network managers
must be able to extend VPN access to multiple corporate
sites, business partners, and remote users, while assuring
the integrity of the corporate data resources.
-
Scale: The rapid addition of mobile users and business
partners to the VPN requires network managers to expand
the network, make hardware and software upgrades, manage
bandwidth, and maintain security policies with unprecedented
speed and accuracy.
-
Cost: To fully realize the cost benefits of a VPN,
network managers must be able to implement new VPN technologies
and provision additional network users without growing the
operations staff at a proportional rate.
Looking
to the Future—Scalability and Migration
When
considering a VPN solution, enterprises should consider how
VPN technology will integrate into their existing network infrastructure
and how it will grow with the dynamic requirements of the enterprise
network. VPNs are not an all or nothing network decision; VPNs
can be phased into existing private network architectures offering
a flexible migration path for the evolution of private networks.
Many
organizations will likely deploy VPNs to augment their existing
private WAN infrastructures. For such hybrid applications, VPNs
can be implemented on existing VPN- capable
routers. Additionally, existing VPN-optimized routers can utilize
optional hardware components to increase security performance.
Implementing
VPN solutions in such a way enables robust VPN
functionality
without impacting existing network infrastructures, thus ensuring
flexibility and growth necessary for the future.
The
breadth of applications in today's networks, such as voice,
video across the enterprise requires an end-to-end architecture
that is fully aware of such applications and has the capabilities
to support such requirements. Such an architecture will enable
achieve the high degree of feature integration over the WAN,
like common QoS functions across the service provider and enterprise
networks.
VPNs
can be divided into three categories based on their topology:
- Remote
dial access: Connects telecommuters, mobile users, or even
smaller remote offices with minimal traffic to the enterprise
WAN and corporate
computing resources.
-
Intranets: An intranet VPN connects fixed locations, branch
and home offices of an enterprise across a WAN.
-
Extranets: An extranet extends limited access to enterprise
computing resources to business partners, such as suppliers
or customers, enabling access to shared information.
The
remote dial access VPNs are also known as Client-to-Site VPNs
and the extranet and intranet both can be termed as Site-to-Site
VPNs.
Chandan Mendiratta is a Systems Engineer at Cisco India and
can be reached at chandannm@cisco.com
|
