DECLARATION

This is to certify that Thesis/Report entitled “VIRTUAL

PRIVATE NETWORK” by me in partial fulfillment of the
requirement for the award of degree B.Tech. in Computer
Science And Engineering which is submitted to B------
V--------- College Of Engineering --------- University,
comprises only my original work and due
acknowledgement has been made in the text to all other
material used.

Date: Aug 2010

Rohit Thapliyal

1
ACKNOWLEDGEMENT

I would like to express my gratitude to all those who gave

me the possibility to complete my summer training
successfully. I want to thank the ----------- for giving me
permission to commence this training and to do the
necessary project work and also to gain some office
experience. I have furthermore to thank Mrs.
---------------- Technical Director and his colleagues
under whose supervision I underwent my training.
Very sincere thanks also to MR. ------------------- , my
project guide at B-------- V--------------- COLLEGE OF
ENGINEERING

I would also like to express my sincere thanks to Mr---------

(HOD, CSE Deptt.) and all the other involved faculty of
the college.

2
ABSTRACT
Students, staff and faculty increasingly connect to the campus
data network via the Internet. The need to access university
resources is likely to increase dramatically with the
implementation of projects such as Sakai, and VPN services
appear to offer solutions to related remote access requirements.
Additionally, VPN services provide a secure method of improving
remote access to licensed material and other university resources
restricted to systems assigned a campus IP address.
The workgroup examined available VPN technology and believes
that SSL VPN solutions reflect a cost-effective and capable VPN
solution for UC Davis. The workgroup recommends Information
and Educational Technology prepare a Request for Information
for an SSL VPN solution. As part of the RFI process, the
workgroup further recommends that IET perform a pilot test using
SSL VPN solution(s) that meet RFI specifications to ensure
product conformity with our requirements for infrastructure and
campus unit services and performance.
The result of examination and successful testing should be a
Request for Quote that permits a phased implementation based
on campus size, but that does not make a commitment beyond an
initial implementation level that includes current library proxy
users and those users who are denied access to university
resources due to network source address restrictions.

3
COMPUTER NETWORKS:
• Introduction
• Network classification
• Types of networks
• Basic hardware components

Definition: Computer network is a group of interconnected

computers. Networks may be classified according to a wide variety of
characteristics.

Introduction:
A computer network is a collection of computers and devices
connected to each other. The network allows computers to
communicate with each other and share resources and
information. The Advanced Research Projects Agency (ARPA) designed
"Advanced Research Projects Agency Network" (ARPANET) for the
United States Department of Defense. It was the first computer network
in the world in late 1960s and early 1970s.

Network classification:
The following list presents categories used for classifying

4
networks
Connection method

Computer networks can also be classified according to the

hardware and software technology that is used to interconnect the
individual devices in the network, such as Optical fiber, Ethernet,
Wireless LAN, HomePNA, Power line communication or G.hn. Ethernet
uses physical wiring to connect devices. Frequently deployed devices
include hubs, switches, bridges and/or routers. Wireless LAN
technology is designed to connect devices withoutwiring. These devices
use radio waves or infrared signals as atransmission medium.
ITU-T G.hn technology uses existing home wiring (coaxial cable, phone
lines and power lines) to create a high-speed (up to 1 Gigabit/s) local
area network.

Scale

Networks are often classified as Local Area Network (LAN), Wide Area
Network (WAN), Metropolitan Area Network (MAN),
Personal Area Network (PAN), Virtual Private Network (VPN),
Campus Area Network (CAN), Storage Area Network (SAN), etc.
depending on their scale, scope and purpose. Usage, trust levels and
access rights often differ between these types of network – for example,
LANs tend to be designed for internal use by an organization's internal
systems and employees in individual physical locations (such as a
building), while WANs may connect physically separate parts of an
organization to each other and may include connections to third parties.

Functional relationship (network architecture)

5
Computer networks may be classified according to the functional
relationships which exist among the elements of the network, e.g.,
Active Networking, Client-server and Peer-to-peer (workgroup)
architecture.

Network topology

Computer networks may be classified according to the network

topology upon which the network is based, such as bus network, star
network, ring network, mesh network, star-bus network, tree or
hierarchical topology network. Network topology signifies the way in
which devices in the network see their logical relations to one another.
The use of the term "logical" here is significant. That is, network
topology is independent of the "physical" layout of the network. Even if
networked computers are physically placed in a linear arrangement, if
they are connected via a hub, the network has a Star topology, rather
than a bus topology. In this regard the
visual and operational characteristics of a network are distinct; the
logical network topology is not necessarily the same as the
physical layout. Networks may be classified based on the method of data
used to convey the data, these include digital and analog networks.

Types of networks

Below is a list of the most common types of computer networks.

Personal area network:
6
A personal area network (PAN) is a computer network used
for communication among computer devices close to one
person. Some examples of devices that are used in a PAN are
printers, fax machines, telephones, PDAs and scanners. The

7
reach of a PAN is typically about 20-30 feet (approximately 6-9
meters), but this is expected to increase with technology
improvements.

Local area network

A local area network (LAN) is a computer network

covering a small physical area, like a home, office, or small group of
buildings, such as a school, or an airport. Current wired LANs are most
likely to be based on Ethernet technology, although new standards like
ITU-T G.hn also provide a way to create a wired LAN using existing
home wires (coaxial cables, phone lines and power lines).
For example, a library may have a wired or wireless
LAN for users to interconnect local devices (e.g., printers and

8
servers) and to connect to the internet. On a wired LAN, PCs in the
library are typically connected by category 5 (Cat5) cable, running the
IEEE 802.3 protocol through a system of interconnected devices and
eventually connect to the Internet. The cables to the servers are typically
on Cat 5e enhanced cable, which will support IEEE 802.3 at 1 Gbit/s. A
wireless LAN may exist using a different IEEE protocol, 802.11b,
802.11g or possibly 802.11n.
The staff computers (bright green in the figure) can get to the color
printer, checkout records, and the academic network and the Internet.
All user computers can get to the Internet and the card catalog. Each
workgroup can get to its local printer. Note that the printers are not
accessible from outside their workgroup.
Typical library network, in a branching tree topology and controlled
access to resources
All interconnected devices must understand the network layer (layer 3),
because they are handling multiple subnets (the different colors). Those
inside the library, which have only 10/100 Mbit/s Ethernet connections
to the user device and a Gigabit Ethernet connection to the central
router, could be called "layer 3 switches" because they only have
Ethernet interfaces and must understand IP. It would be more correct to
call them access routers, where the router at the top is a distribution
router that connects to the Internet and academic networks' customer
access routers.
The defining characteristics of LANs, in contrast to
WANs (wide area networks), include their higher data transfer
rates, smaller geographic range, and lack of a need for leased
telecommunication lines. Current Ethernet or other IEEE 802.3
LAN technologies operate at speeds up to 10 Gbit/s. This is the
9
data transfer rate. IEEE has projects investigating the
standardization of 100 Gbit/s, and possibly 400 Gbit/s.

Campus area network

A campus area network (CAN) is a computer network

made up of an interconnection of local area networks (LANs) within a
limited geographical area. It can be considered one form Of a
metropolitan area network, specific to an academic setting.

In the case of a university campus-based campus area network, the

network is likely to link a variety of campus buildings including;
academic departments, the university library and student residence halls.
A campus area network is larger than a local area network but smaller
than a wide area network (WAN) (in some cases).

10
The main aim of a campus area network is to facilitate students
accessing internet and university resources. This is a network that
connects two or more LANs but that is limited to a specific and
contiguous geographical area such as a college campus, industrial
complex, office building, or a military base. A CAN may be considered
a type of MAN (metropolitan area network), but is generally limited to a
smaller area than a typical MAN. This term is most often used to discuss
the implementation of networks for a contiguous area. This should not
be confused with a Controller Area Network. A LAN connects network
devices over a relatively short distance. A networked office building,
school, or home usually contains a single LAN, though sometimes one
building will contain a few small LANs (perhaps one per room), and
occasionally a LAN will span a group of nearby buildings. In TCP/IP
networking, a LAN is often but not always implemented as a single IP
subnet.

Metropolitan area network

A metropolitan area network (MAN) is a network that

connects two or more local area networks or campus area networks

11
together but does not extend beyond the boundaries of the
immediate town/city. Routers, switches and hubs are connected to create
a metropolitan area network

Wide area network

A wide area network (WAN) is a computer network that

covers a broad area (i.e. any network whose communications links

12
cross metropolitan, regional, or national boundaries [1]). Less
formally, a WAN is a network that uses routers and public
communications links. Contrast with personal area networks
(PANs), local area networks (LANs), campus area networks
(CANs), or metropolitan area networks (MANs), which are usually
limited to a room, building, campus or specific metropolitan area (e.g., a
city) respectively. The largest and most well-known example of a WAN
is the Internet.
A WAN is a data communications network that covers a relatively broad
geographic area (i.e. one city to another and one country to another
country) and that often uses transmission facilities provided by common
carriers, such as telephone companies. WAN technologies generally
function at the lower three layers of the OSI reference model: the
physical layer, the data link layer, and the network layer.
13
Global area network

A global area networks (GAN) specification is in

development by several groups, and there is no common definition.
In general, however, a GAN is a model for supporting mobile
communications across an arbitrary number of wireless LANs,
satellite coverage areas, etc. The key challenge in mobile
communications is "handing off" the user communications from
one local coverage area to the next. In IEEE Project 802, this
involves a succession of terrestrial WIRELESS local area networks
14
(WLAN).
Internetwork

Internetworking involves connecting two or more distinct computer

networks or network segments via a common routing technology. The
result is called an internetwork (often shortened to internet). Two or
more networks or network segments connected using devices that
operate at layer 3 (the 'network' layer) of the OSI Basic Reference
Model, such as a router. Any interconnection among or between public,
private, commercial, industrial, or governmental networks may also be
defined as an internetwork.
In modern practice, the interconnected networks use the
Internet Protocol. There are at least three variants of internetwork,
depending on who administers and who participates in them:

15
 Intranet
Extranet
Internet

Intranets and extranets may or may not have

connections to the Internet. If connected to the Internet, the intranet or
extranet is normally protected from being accessed from the Internet
without proper authorization. The Internet is not considered to be a part
of the intranet or extranet, although it may serve as a portal for access to
portions of an extranet.

Intranet
An intranet is a set of networks, using the Internet
Protocol and IP-based tools such as web browsers and file transfer
applications, that is under the control of a single administrative entity.
That administrative entity closes the intranet to all but specific,
authorized users. Most commonly, an intranet is the internal network of
an organization. A large intranet will typically have at least one web
server to provide users with organizational information

Extranet
An extranet is a network or internetwork that is limited in scope to a
single organization or entity but which also has limited connections to
the networks of one or more other usually, but not necessarily, trusted

16
organizations or entities (e.g., a company's customers may be given
access to some part of its
intranet creating in this way an extranet, while at the same time the
customers may not be considered 'trusted' from a security
standpoint). Technically, an extranet may also be categorized as a CAN,
MAN, WAN, or other type of network, although, by
definition, an extranet cannot consist of a single LAN; it must have at
least one connection with an external network.

Internet

The Internet is a specific internetwork. It consists of a worldwide

interconnection of governmental, academic, public, and private networks
based upon the networking technologies of the Internet Protocol Suite. It
is the successor of the Advanced Research Projects Agency Network
(ARPANET) developed by DARPA of the U.S. Department of Defense.
The Internet is also the communications backbone underlying the World
Wide Web (WWW). The 'Internet' is most commonly spelled with a
capital 'I' as a proper noun, for historical reasons and to distinguish it
from other generic internetworks. Participants in the Internet use a
diverse array of methods of several hundred documented, and often
standardized, protocols compatible with the Internet Protocol Suite and
an addressing system (IP Addresses) administered by the Internet
Assigned Numbers Authority and address registries. Service providers
and large enterprises exchange information about the reachability of
17
their address spaces through the Border Gateway Protocol (BGP),
forming a redundant worldwide mesh of transmission paths.

Virtual private network

18
A virtual private network (VPN) is a computer network in which some
of the links between nodes are carried by open connections or virtual
circuits in some larger network (e.g., the Internet) instead of by physical
wires. The link-layer protocols
of the virtual network are said to be tunneled through the larger
network when this is the case. One common application is secure
communications through the public Internet, but a VPN need not have
explicit security features, such as authentication or content encryption.
VPNs, for example, can be used to separate the traffic of different user
communities over an underlying network with strong security features.
A VPN may have best-effort performance, or may have
a defined service level agreement (SLA) between the VPN
customer and the VPN service provider. Generally, a VPN has a
topology more complex than point-to-point.

19
A VPN allows computer users to appear to be editing from an IP address
location other than the one which connects the
actual computer to the Internet.

Basic hardware components

All networks are made up of basic hardware building blocks to

interconnect network nodes, such as Network Interface Cards (NICs),
Bridges, Hubs, Switches, and Routers. In addition, some method of
connecting these building blocks is required, usually in the form of
galvanic cable (most commonly Category 5 cable). Less common are
microwave links (as in IEEE 802.12) or optical cable ("optical fiber").
An ethernet card may also be required.

Network interface cards

20
A network card, network adapter or NIC (network interface card) is a
piece of computer hardware designed to allow computers to
communicate over a computer network. It provides physical access to a
networking medium and often provides a lowlevel addressing system
through the use of MAC addresses.

Repeaters

21
A repeater is an electronic device that receives a signal
and retransmits it at a higher power level, or to the other side of an
obstruction, so that the signal can cover longer distances without
degradation. In most twisted pair Ethernet configurations, repeaters are
required for cable which runs longer than 100 meters.

22
Hubs
A hub contains multiple ports. When a packet arrives at one port, it is
copied unmodified to all ports of the hub for transmission. The
destination address in the frame is not changed to a broadcast address.

Bridges

23
A network bridge connects multiple network segments at the data link
layer (layer 2) of the OSI model. Bridges do not promiscuously copy
traffic to all ports, as hubs do, but learn which MAC addresses are
reachable through specific ports. Once the bridge associates a port and
an address, it will send traffic for that address only to that port. Bridges
do send broadcasts to all ports except the one on which the broadcast
was received. Bridges learn the association of ports and addresses by
examining the source address of frames that it sees on various ports.
Once a frame arrives through a port, its source address is stored and the
bridge assumes that MAC address is associated with that port. The first
time that a previously unknown destination address is seen, the bridge
will forward the frame to all ports other than the one on which the frame
arrived.
Bridges come in three basic types:
1. Local bridges: Directly connect local area networks (LANs)
2. Remote bridges: Can be used to create a wide area network
(WAN) link between LANs. Remote bridges, where the connecting link
is slower than the end networks, largely have
been replaced by routers.
3. Wireless bridges: Can be used to join LANs or connect
remote stations to LANs.

Switches

24
A switch is a device that forwards and filters OSI layer 2 datagrams
(chunk of data communication) between ports(connected cables) based
on the MAC addresses in the packets. This is distinct from a hub in that
it only forwards the packets to the ports involved in the communications
rather than all ports connected. Strictly speaking, a switch is not capable
of routing traffic based on IP address (OSI Layer 3) which is necessary
for communicating between network segments or within a large or
complex LAN. Some switches are capable of routing based on IP
addresses but are still called switches as a marketing term. A switch
normally has numerous ports, with the intention being that most or all of
the network is connected directly to the switch, or another switch that is
in turn connected to a switch.
Switch is a marketing term that encompasses routers and bridges, as well
as devices that may distribute traffic on load or by application content
(e.g., a Web URL identifier). Switches may operate at one or more OSI
model layers, including physical, data link, network, or transport (i.e.,
end-to-end). A device that operates simultaneously at more than one of
these layers is called a multilayer switch.

25
Overemphasizing the ill-defined term "switch" often leads to confusion
when first trying to understand networking. Many experienced network
designers and operators recommend starting with the logic of devices
dealing with only one protocol
level, not all of which are covered by OSI. Multilayer device selection is
an advanced topic that may lead to selecting particular implementations,
but multilayer switching is simply not a real world design concept.
Routers

Routers are networking devices that forward data packets between

networks using headers and forwarding tables to determine the best path
to forward the packets.

INTRODUCTION
Virtual private network

26
A virtual private network (VPN) is a computer network in which some
of the links between nodes are carried by open connections or virtual
circuits in some larger network (e.g., the Internet) instead of by physical
wires. The link-layer protocols of the virtual network are said to be
tunneled through the larger network when this is the case. One common
application is secure communications through the public Internet, but a
VPN need not have explicit security features, such as authentication or
content encryption. VPNs, for example, can be used to separate the
traffic of different user communities over an underlying network with
strong security features.

A VPN may have best-effort performance, or may have a defined

service level agreement (SLA) between the VPN customer and the VPN
service provider. Generally, a VPN has a topology more complex than
point-to-point.
27
A VPN allows computer users to appear to be editing from an IP address
location other than the one which connects the actual computer to the
Internet.It gives extremely secure connections between private networks
linked through the Internet. It allows remote computers to act as though
they were on the same secure, local network.
It is a way to use a public telecommunication infrastructure, such as the
Internet, to provide remote offices or individual users with secure access
to their organization's network.
It is a form of communication over networks that are public in
ownership, but emulate a private network in terms of security.
A VPN is a private tunnel through the Internet that is designed to
connect a remote office or employee into a main server. The virtual
private network is slow because all the data sent back and forth to the
server is locked down and encrypted. This is to ensure the data is secure
as it travels through the vast expanse of the Internet.

VPN ACCOUNT AND CERTIFICATE:

ACCOUNT:
• Verification by HOD and Web Coordinator.
• Communicated through Email.

DIGITAL CERTIFICATE:

• The digital certificate enrollment : online through

http://vpnca.nic.in/certsrv
• Mail the request ID .
• Verification and issued

28
 • Certificate derived from site / send by mail
Installing the VPN client software:
1. Install setup ‘ windows installer package’ for Windows XP/ 2000
2. For windows 98 the software is available in
http://ftp.ren.nic.in/pub/Cisco/vpn/VPN%20client
%20software/vpnclient-win-is-3-6.6-a-k9.exe
3. Client software is in Zip format. Unzipp it
4. For Linux , the software is available in
http://ftp.ren.nic.in/pub/Cisco/vpn/VPN%20client
%20software/vpnclient-linux-4.6.02003-k9.tar.gz

HISTORY
Until the end of the 1990s the computers in computer networks
connected through very expensive leased lines and/or dial-up phone
lines. It could cost thousands of dollars for 56kbps lines or tens of
thousands for T1 lines, depending on the distance between the
sites.Virtual Private Networks reduce network costs because they avoid
a need for many leased lines that individually connect to the Internet.
Users can exchange private data securely, making the expensive leased

29
lines redundant. The term VPN has been associated in the past with such
remote connectivity services as the public telephone network and Frame
Relay PVCs, but has finally settled in as being synonymous with IP-
based data networking. Before this concept surfaced, large corporations
had expended considerable resources to set up complex private
networks,now commonly called Intranets. These networks were installed
using costly leased line services, Frame Relay, and ATM to incorporate
remote users. For the smaller sites and mobile workers on the
remote end, companies supplemented their networks with remote access
servers or ISDN.At the same time, the small- to medium-sized
enterprises (SMEs), who could not afford
dedicated leased lines, were relegated to low-speed switched services.
As the Internet became more and more accessible and bandwidth
capacities grew,companies began to offload their Intranets to the web
and create what are now known as Extranets to link internal and external
users. However, as cost-effective and quick-todeploy
as the Internet is, there is one fundamental problem – security.
Today’s VPN solutions overcome the security factor. Using special
tunneling protocols and complex encryption procedures, data integrity
and privacy is achieved in what seems,for the most part, like a dedicated
point-to-point connection. And, because these operations occur over a
public network, VPNs can cost
significantly less to implement than privately owned or leased
services.Although early VPNs required extensive expertise to
implement, the technology has matured already to a level that makes its
deployment a simple and affordable solution for businesses of all sizes,
including SMEs who were previously being left out of the e-
revolution.Using the Internet, companies can connect their remote
branch offices, project teams,business partners, and e-customers into the
main corporate network. Mobile workers and telecommuters can get
secure connectivity by dialing into the POP (Point-of-Presence) of a
local ISP (Internet Service Provider). With a VPN, corporations see
immediate costreduction opportunities in their long distance charges
(especially important to global companies), leased line fees, equipment
inventories (like large banks of modems), and
network support requirements.

30
VPN technologies have myriad protocols, terminologies and marketing
influences that define them. For example, VPN technologies can differ
in:
1.The protocols they use to tunnel the traffic
2.The tunnel's termination point, i.e., customer edge or network provider
edge
3.Whether they offer site-to-site or remote access connectivity
4.The levels of security provided
5.The OSI layer they present to the connecting network, such as Layer 2
circuits or Layer 3 network connectivity.

REQUIREMENTS:
Operating System Computer Requirements
Windows 2000 SP4. Computer with a • 5 MB hard disk
space.
Windows XP SP2. Pentium®-class
• RAM:
Windows Vista. processor or
– 128 MB for
Windows 7 greater.
Windows 2000.
In addition, x64 or
– 256 MB for
x86 processors are Windows XP.
supported for – 512 MB for
Windows Vista.
Windows XP and

31
 Windows Vista. • Microsoft Installer,
version 3.
Mac OS X, Version Macintosh 50 MB hard disk
10.4 or later computer1 space

Requirements for VPNs

There is one very important requirement that is common to secure
VPNs, trusted VPNs, and hybrid VPNs: the VPN administrator must
know the extent of the VPN. Regardless of the type of VPN in use, a
VPN is meant to have capabilities that the "regular" network does not.
Thus, the VPN administrator must be able to know at all times what data
will and will not be in the VPN.
Each of the four types of VPNs have their own additional requirements.
Secure VPN requirements
All traffic on the secure VPN must be encrypted and authenticated.
Many of the protocols that are used to create secure VPNs allow the
creation of VPNs that have authentication but no encryption. Although
such a network is more secure than a network with no authentication, it
is not a VPN because there is no privacy.
The security properties of the VPN must be agreed to by all parties
in the VPN. Secure VPNs have one or more tunnels, and each tunnel
has two endpoints. The administrators of the two endpoints of each
tunnel must be able to agree on the security properties of the tunnel.
No one outside the VPN can affect the security properties of the
VPN. It must be impossible for an attacker to change the security
properties of any part of a VPN, such as to weaken the encryption or to
affect which encryption keys are used.
Trusted VPN requirements
No one other than the trusted VPN provider can affect the creation
or modification of a path in the VPN. The entire value of the trusted

32
VPN is that the customer can trust that the provider to provision and
control the VPN. Therefore, no one outside the realm of trust can change
any part of the VPN. Note that some VPNs span more than one provider;
in this case, the customer is trusting the group of providers as if they
were a single provider.
No one other than the trusted VPN provider can change data, inject
data, or delete data on a path in the VPN. A trusted VPN is more than
just a set of paths: it is also the data that flows along those paths.
Although the paths are typically shared among many customers of a
provider, the path itself must be specific to the VPN and no one other
than trusted provider can affect the data on that path. Such a change by
an outside party would affect the characteristics of the path itself, such
as the amount of traffic measured on the path.
The routing and addressing used in a trusted VPN must be
established before the VPN is created. The customer must know what
is expected of the customer, and what is expected of the service
provider, so that they can plan for maintaining the network that they are
purchasing.
Hybrid VPN requirements
The address boundaries of the secure VPN within the trusted VPN
must be extremely clear. In a hybrid VPN, the secure VPN may be a
subset of the trusted VPN, such as if one department in a corporation
runs its own secure VPN over the corporate trusted VPN. For any given
pair of address in a hybrid VPN, the VPN administrator must be able to
definitively say whether or not traffic between those two addresses is
part of the secure VPN.

33
Different Types of VPN
A VPN supports at least three different modes of use:

Under this application only a single VPN gateway is involved. The

other party involved in negotiating the secure communication
channel with the VPN Gateway is a PC or laptops that is onnected
to the Internet and running VPN Client software. The VPN Client
allows telecommuters and traveling users to communicate on the
central network and access servers from many different locations.

BENEFIT : Significant cost savings by reducing the burden of

long distance charges associated with dial-up access. Also helps

34
increase productivity and peace of mind by ensuring secure
network access regardless of where an employee physically is.
2. Site to site : Dedicated VPN connection established among
multiple LANs . Each site requires one a local leased/ RF/ ISDN
connection to the local ISPs .

With Intranet VPN, gateways at various physical locations within

the same business negotiate a secure communication channel
across the Internet known as a VPN tunnel. An example would be
a network that exists in several buildings connected to a data
center or mainframe that has secure access through private lines.
Users from the networks on either side of the tunnel can
communicate with one another as if it were a single network.
These may need strong encryption and strict performance and
bandwidth requirements.
BENEFIT : Substantial cost savings over traditional leased-line or
frame relay technologies through the use of Internet to bridge
potentially long distances between sites.
3.Site-to-Site Extranet VPN - Almost identical to Intranets, except
they are meant for external business partners. As such, firewall
access restrictions are used in conjunction with VPN tunnels, so

35
that business partners are only able to gain secure access to
specific data / resources, while not gaining access to private
corporate information.
BENEFIT : Businesses enjoy the same policies as a private
network, including security, QoS, manageability, and reliability.

Desired VPN Features :

The workgroup found that the following characteristics are necessary for
a successful UC Davis VPN implementation:

1.Available to all CyberSafe remote computers. Every vendor supported

end-user platform should be able to use the VPN service, but VPN
access from computing systems that are or can be compromised should
be denied.

2. Easily supportable. VPN implementation must not substantially

increase help desk utilization or costs.

3. Integrate with existing authentication/authorization infrastructure.

The log-in procedure should be simpler and less confusing than current
proxy login.

4. Security that is not “one size fits all”. The ability to assign remote
users to security zones based on authorization groups is highly desirable
in many circumstances. For example, SSL VPN technology could be

36
used to enhance campus wireless security through the assignment of
users to trusted and untrusted zones depending on their affiliation.

5. Granular administration. A VPN implementation that permits

administrative delegation in an environment of central control would be
highly desirable. A vendor solution that permits departmental
participation through independent purchase of compatible equipment
may also be acceptable.

6. Split tunnel services. Split tunnel services should be supported by a

campus VPN implementation.

7. Browser support. The SSL VPN solution must be compatible with

current Internet Web browsers, including Internet Explorer, Safari,
Netscape, Opera and Firefox.
8. Monitoring and logging. Monitoring should go beyond the
indispensable network utilization and error reporting level. Any VPN
solution has to provide logging that is integrated with syslog services. In
the case of DMCA violations, the University must be able to remove
access to infringing files upon notification. For resources licensed by the
UC Office of the President and the Davis campus, the University is
obligated by contract to remedy abuses or suffer penalties that could
include denial to future resource access for all campus users. For those
reasons, it is necessary to associate user identity and activity. The
obligation to remedy abuse is a requirement for departments even if they
manage VPNs independently.

9. Scalability. It should be possible to begin small and economically

increase capacity without degrading performance. Technical details
relating to interoperation with the existing VLAN infrastructure may
contribute significantly in this respect.

10. Hardened. The VPN platform should have a hardened operating

system and firmware that provide no opportunities for exploits.
11. Operation 24x7x365. Every hour of the night and day, some UC
Davis affiliate uses campus resources remotely, so we require a high

37
availability platform. An active/passive configuration would provide
fail-safe operation if a load balancing active/active configuration was
unaffordable.

12. Supported. As a core service, VPN would require 24x7 vendor

telephone support and 24x7 hardware maintenance availability.
The workgroup identified one feature, Endpoint Security
Integration, which will require further analysis. While end-point
security is a highly desirable function for entry to the campus
network, the ability to check an operating system version,
application of security patches or the currency of anti-virus
detection files would likely benefit the campus as part of a broader
offering, integrated into network access for wired, wireless and
VPN services. Nonetheless, some SSL VPN products are capable
of using the endpoint security services to check for specific
programs and files needed for interoperation with particular
servers and services.

38
Technologies Supported by VPNC
The following technologies support the requirements from the previous
section. VPNC supports these technologies when they are implemented
by users themselves and when they are implemented in provider-
provisioned VPNs.
5.1 Secure VPN technologies
IPsec with encryption in either tunnel and transport modes. The
security associations can be set up either manually or using IKE with
either certificates or preshared secrets.
IPsec, short for Internet Protocol Security, can run in either transport
or tunnel mode, each
having significantly different implications particularly with regard to
security — tunnel mode will encrypt both the header information as
well as the data transmitted, whereas transport mode will encrypt only
the data. Keys must be shared by both the sender and recipient in
order to correctly decrypt the transmission.IPsec works at Layer 3, or
the Network Layer of the OSI Model, which enables it to operate
independently of any application. An IPsec VPN reates a tunnel
between two endpoints through which any number of connections and
protocol types (Web, email, file transfer, VoIP) can travel. The
original IP data packet is re-encapsulated so that all application
protocol information is hidden during the actual transmission of the
data. A typical deployment will consist of one or more VPN gateways
to the secured networks. Special VPN client software must be
installed on each remote access user’s computer, and each VPN client
must be configured to define which packets should be encrypted and
which gateway is to be used for the VPN tunnel. Once connected, the
client becomes a full member of the secured network, able to see and

39
 access everything just as if that system was actually physically
connected to the network.

IPsec inside of L2TP : has significant deployment for client-server

remote access secure VPNs.

SSL (Secure Socket Layer) VPNs :are often referred to as transparent,

or clientless, due to the lack of any additional client-side VPN software
that must be explicitly installed. The SSL components required to create
a secure channel from the remote system are a part of all major Web
browsers, at least one of which is always already available on virtually
every modern computer. The only new item that is necessary is a
designated SSL VPN server, to act as the gateway between the secured
network and all remote systems. The SSL protocol operates in Layer 7,
the Application Layer, allowing it to act as a proxy for the secured
resources. Authentication of both the client and the server is achieved
during the initial handshake routine where both parties identify
themselves via digital certificates. The handshake process also generates
session keys which are used to encrypt all traffic sent and received
during a remote access session. These technologies (other than SSL 3.0)
are standardized in the IETF, and each has many vendors who have
shown their products to interoperate well in the field. An SSL VPN can
maintain and enforce finer-grained access control policies, to individual
internal resources as well as by individual users, by intercepting all
traffic between the authenticated remote system and the requested
resource inside the secured network. This introduces greater flexibility
since now virtually any computer with an Internet connection can
be used for secure remote access — home computers, computers on
customers’ premises, andeven Internet cafés!

IPsec vs SSL VPNs

IPsec and SSL each have their own advantages, so what is “better” may
often come down to what is most suited for your network, but many

40
organizations are increasingly turning to SSL VPNs for the additional
benefits available.

5.2 Trusted VPN technologies

Modern service providers offer many different types of trusted VPNs.
These can generally be separated into "layer 2" and "layer 3" VPNs.
Technologies for trusted layer 2 VPNs include:
• ATM circuits

• Frame relay circuits

Multi-Protocol Label Switching (MPLS) :Multi-Protocol Label
Switching (MPLS) was originally presented as a way of improving
the forwarding speed of routers but is now emerging as a crucial
standard technology that offers new capabilities for large scale IP
networks. Traffic engineering, the ability of network operators to
dictate the path that traffic takes through their network, and Virtual
Private Network support are examples of two key applications where
MPLS is superior to any currently available IP technology.
Although MPLS was conceived as being independent of Layer 2,
much of the excitement generated by MPLS revolves around its
promise to provide a more effective means of deploying IP networks
across ATM-based WAN backbones. The Internet Engineering Task
Force is developing MPLS with draft standards expected by the end
of 1998. MPLS is viewed by some as one of the most important
network developments of the 1990's. This article will explain why
MPLS is generating such interest.
The essence of MPLS is the generation of a short fixed-length label
that acts as a shorthand representation of an IP packet's header. This
is much the same way as a ZIP code is shorthand for the house, street
and city in a postal address, and the use of that label to make
forwarding decisions about the packet. IP packets have a field in their
'header' that contains the address to which the packet is to be routed.
Traditional routed networks process this information at every router
in a packet's path through the network (hop by hop routing).

41
In MPLS, the IP packets are encapsulated with these labels by the
first MPLS device they encounter as they enter the network. The
MPLS edge router analyses the contents of the IP header and selects
an appropriate label with which to encapsulate the packet. Part of the
great power of MPLS comes from the fact that, in contrast to
conventional IP routing, this analysis can be based on more than just
the destination address carried in the IP header. At all the subsequent
nodes within the network the MPLS label, and not the IP header, is
used to make the forwarding decision for the packet. Finally, as
MPLS labeled packets leave the network, another edge router
removes the labels.
In MPLS terminology, the packet handling nodes or routers are called
Label Switched Routers (LSRs). The derivation of the term should be
obvious; MPLS routers forward packets by making switching
decisions based on the MPLS label. This illustrates another of the key
concepts in MPLS. Conventional IP routers contain routing tables
which are looked up using the IP header from a packet to decide how
to forward that packet. These tables are built by IP routing protocols
(e.g., RIP or OSPF) which carry around IP reachability information in
the form of IP addresses. In practice, we find that forwarding (IP
header lookup) and control planes (generation of the routing tables)
are tightly coupled. Since MPLS forwarding is based on labels it is
possible to cleanly separate the (label-based) forwarding plane from
the routing protocol control plane. By separating the two, each can be
modified independently. With such a separation, we don't need to
change the forwarding machinery, for example, to migrate a new
routing strategy into the network.
There are two broad categories of LSR. At the edge of the network,
we require high performance packet classifiers that can apply (and
remove) the requisite labels: we call these MPLS edge routers. Core
LSRs need to be capable of processing the labeled packets at
extremely high bandwidths.
This is an abstract of the MPLS article contained in techguide.com.
The complete article examines MPLS and the opportunities it offers
to users and also to the service providers who are designing and

42
 engineering the next generation of IP networks. It also describes why
new carrier-class edge devices will become a key component in the
provisioning of future network services.
Technologies for trusted layer 3 VPNs include:
• MPLS with constrained distribution of routing information
through BGP, as described in RFC 4364 and other related Internet
Drafts.
It is widely assumed that both will become standards in the future. Also,
the service provider industry has not embraced one of these technologies
much more strongly than the other.
5.3 Hybrid VPN technologies
• Any supported secure VPN technologies running over any
supported trusted VPN technology.
It is important to note that a hybrid VPN is only secure in the parts that
are based on secure VPNs. That is, adding a secure VPN to a trusted
VPN does not increase the security for the entire trusted VPN, only to
the part that was directly secured. The secure VPN acquires the
advantages of the trusted VPN, such as having known QoS features.

Protocols Used
The protocol incorporates three major components: the
Authentication Header (AH), Encapsulating Security Payload
(ESP), and Internet Key Exchange (IKE).
VPN Tunneling Protocols

43
Several computer network protocols have been implemented
specifically for use with VPN tunnels. The three most popular
VPN tunneling protocols listed below continue to compete with
each other for acceptance in the industry. These protocols are
generally incompatible with each other.
Point-to-Point Tunneling Protocol (PPTP)

Several corporations worked together to create the PPTP specification.

People generally associate PPTP with Microsoft because nearly all
flavors of Windows include built-in client support for this protocol. The
initial releases of PPTP for Windows by Microsoft contained security
features that some experts claimed were too weak for serious use.
Microsoft continues to improve its PPTP support, though.

PPTP VPN Tunnel Frame Format

44
A PPP frame (an IP datagram, an IPX datagram, or a NetBEUI frame) is
wrapped with a Generic Routing Encapsulation (GRE) header and an IP
header. In the IP header is the source and destination IP address that
correspond to the VPN client and VPN server.

Normal IP Packet without VPN

Point-to-Point Tunneling Protocol (PPTP) is a proprietary development

of Microsoft intended for VPN-like communications. PPTP offers user
authentication employing authentication protocols such as MS-CHAP,
CHAP, SPAP, and PAP. The protocol lacks the flexibility offered by
other solutions and does not possess the same level of interoperability as
the other VPN protocols, but its use is easy and abundant in the real
world.

PPTP PACKET

It consists of three types of communication:

• PPTP connection, where a client establishes a PPP link to an ISP.

45
 • PPTP control connection, where the user creates a PPTP
connection to the VPN server and negotiates the tunnel
characteristics.

• PPTP data tunnel, where both client and server exchange

communications inside an encrypted tunnel.

PPTP is commonly used for creation of secure communication channels

between a large number of Windows hosts on the intranet. We have to
caution you that it has a long history of insecurities and typically uses
lower grade encryption ciphers, such as MD4 or DES.

Layer Two Tunneling Protocol (L2TP)

The original competitor to PPTP for VPN tunneling was L2F, a protocol
implemented primarily in Cisco products. In an attempt to improve on
L2F, the best features of it and PPTP were combined to create a new
standard called L2TP. Like PPTP, L2TP exists at the data link layer
(Layer Two) in the OSI model -- thus the origin of its name. Jointly
developed by Cisco, Microsoft, and 3Com, L2TP promised to replace
PPTP as a major tunneling protocol. It is essentially a combination of
PPTP and Cisco Layer Two Forwarding (L2F), merging both into a
single standard. L2TP is used to tunnel PPP over a public IP network.

L2TP : Tunneling with IPSec Encryption

46
It relies on PPP to establish a dial-in connection using PAP or CHAP
authentication but, unlike PPTP, L2TP defines its own tunneling
protocol. Because L2TP works on Layer 2, the non-IP protocols can be
transported through the tunnel, yet it will work on any Layer 2 media,
such as ATM, Frame Relay, or 802.11. The protocol does not offer
encryption by itself, but it can be used in conjunction with the other
protocols or application-layer encryption mechanisms to provide for
security needs.
Internet Protocol Security (IPsec)

IPsec is actually a collection of multiple related protocols. It can be used

as a complete VPN protocol solution or simply as the encryption scheme
within L2TP or PPTP. IPsec exists at the network layer (Layer Three) of
the OSI model.

Internet Protocol Security (IPsec) is a protocol suite for securing Internet

Protocol (IP) communications by authenticating and encrypting each IP

47
packet of a data stream. IPsec also includes protocols for establishing
mutual authentication between agents at the beginning of the session and
negotiation of cryptographic keys to be used during the session. IPsec
can be used to protect data flows between a pair of hosts (e.g. computer
users or servers), between a pair of security gateways (e.g. routers or
firewalls), or between a security gateway and a host.

IPsec is a dual mode, end-to-end, security scheme operating between the

Internet and Transport layers of the Internet Protocol Suite. It effectively
acts as an additional, optional "presentation layer" considering a
transport level protocol the application.

Some other Internet security systems in widespread use, such as Secure

Sockets Layer (SSL), Transport Layer Security (TLS) and Secure Shell
(SSH), operate in the upper layers of these models. Hence, IPsec can be
used for protecting any application traffic across the Internet.
Applications don't need to be specifically designed to use IPsec. The use
of TLS/SSL, on the other hand, must typically be incorporated into the
design of applications.

IPsec is a successor of the ISO standard Network Layer Security

Protocol (NLSP). NLSP was based on the SP3 protocol that was
published by NIST, but designed by the Secure Data Network System
project of the National Security Agency (NSA).

IPsec is officially specified by the Internet Engineering Task Force

(IETF) in a series of Requests for Comment addressing various
components and extensions, including the official capitalization style of
the term.

The IPsec suite is a framework of open standards. IPsec uses the

following protocols to perform various functions.

48
• A security association (SA) is set up by Internet Key Exchange
(IKE and IKEv2) or Kerberized Internet Negotiation of Keys
(KINK) by handling negotiation of protocols and algorithms and to
generate the encryption and authentication keys to be used by
IPsec.
• Authentication Header (AH) to provide connectionless integrity and
data origin authentication for IP datagrams and to provide
protection against replay attacks.
• Encapsulating Security Payload (ESP) to provide confidentiality,
data origin authentication, connectionless integrity, an anti-replay
service (a form of partial sequence integrity), and limited traffic
flow confidentiality.

Modes of operation

IPsec can be implemented in a host-to-host transport mode, as well

as in a network tunnel mode.

Transport mode

In transport mode, only the payload (the data you transfer) of the IP
packet is encrypted and/or authenticated. The routing is intact, since
the IP header is neither modified nor encrypted; however, when the
authentication header is used, the IP addresses cannot be translated,
as this will invalidate the hash value. The transport and application
layers are always secured by hash, so they cannot be modified in

49
any way (for example by translating the port numbers). Transport
mode is used for host-to-host communications.

A means to encapsulate IPsec messages for NAT traversal has been

defined by RFC documents describing the NAT-T mechanism.

Tunnel mode

In tunnel mode, the entire IP packet is encrypted and/or

authenticated. It is then encapsulated into a new IP packet with a
new IP header. Tunnel mode is used to create Virtual Private
Networks for network-to-network communications (e.g. between
routers to link sites), host-to-network communications (e.g. remote
user access), and host-to-host communications (e.g. private chat).

50
GRE

Generic Routing Encapsulation (GRE) is a Cisco-developed protocol

that is used in networking to tunnel traffic between different private
networks. This includes non-IP traffic that cannot be carried across the
network in its native form. Even though it does not provide any
encryption by itself, it does provide efficient low-overhead tunneling.
GRE is often used in conjunction with network-layer encryption
protocols to accommodate both features provided by GRE, such as
encapsulation of non-IP protocols, and encryption provided by other
protocols, such as IPSec.

GRE tunnels are designed to be completely stateless. This means that

each tunnel end-point does not keep any information about the state or
availability of the remote tunnel end-point. A consequence of this is that
the local tunnel end-point router does not have the ability to bring the
line protocol of the GRE tunnel interface down if the remote end-point is
unreachable. The ability to mark an interface as down when the remote
end of the link is not available is used in order to remove any routes
(specifically static routes) in the routing table that use that interface as
the outbound interface. Specifically, if the line protocol for an interface
is changed to down, then any static routes that point out that interface
are removed from the routing table. This allows for the installation of an
alternate (floating) static route or for policy-based routing (PBR) to
select an alternate next-hop or interface.
Normally, a GRE tunnel interface comes up as soon as it is configured
and it stays up as long as there is a valid tunnel source address or
interface which is up. The tunnel destination IP address must also be
routable. This is true even if the other side of the tunnel has not been
configured. This means that a static route or PBR forwarding of packets

51
via the GRE tunnel interface remains in effect even though the GRE
tunnel packets do not reach the other end of the tunnel.

VPNs IN MOBILE ENVIRONMENTS:

Mobile VPNs handle the special circumstances when an endpoint of the
VPN is not fixed to a single IP address, but instead roams across various
networks such as data networks from cellular carriers or between
multiple Wi-Fi access points. Mobile VPNs have been widely used in
public safety, where they give law enforcement officers access to
mission-critical applications, such as computer-assisted dispatch and
criminal databases, as they travel between different subnets of a mobile

52
network.They are also used in field service management and by
healthcare organizations, among other industries.

Increasingly, mobile VPNs are being adopted by mobile professionals

and white-collar workers who need reliable connections. They allow
users to roam seamlessly across networks and in and out of wireless-
coverage areas without losing application sessions or dropping the
secure VPN session. A conventional VPN cannot survive such events
because the network tunnel is disrupted, causing applications to
disconnect, time out, or fail, or even cause the computing device itself to
crash.

Instead of logically tying the endpoint of the network tunnel to the

physical IP address, each tunnel is bound to a permanently associated IP
address at the device. The mobile VPN software handles the necessary
network authentication and maintains the network sessions in a manner
transparent to the application and the user. The Host Identity Protocol
(HIP), under study by the Internet Engineering Task Force, is designed
to support mobility of hosts by separating the role of IP addresses for
host identification from their locator functionality in an IP network.
With HIP a mobile host maintains its logical connections established via
the host identity identifier while associating with different IP addresses
when roaming between access networks.

ADVANTAGES AND DISADVANTAGES OF VPN:

53
Advantages of VPN
►Enhanced security. When you connect to the network through a
VPN, the data is kept secured and encrypted. In this way the information
is away from hackers’ eyes.
►Remote control. In case of a company, the great advantage of having
a VPN is that the information can be accessed remotely even from home
or from any other place. That’s why a VPN can increase productivity
within a company.
►Share files. A VPN service can be used if you have a group that needs
to share files for a long period of time.
►Online anonymity. Through a VPN you can browse the web in
complete anonymity. Compared to hide IP software or web proxies, the
advantage of a VPN service is that it allows you to access both web
applications and websites in complete anonymity.
►Unblock websites & bypass filters. VPNs are great for accessing
blocked websites or for bypassing Internet filters. This is why there is an
increased number of VPN services used in countries where Internet
censorship is applied.
►Change IP address. If you need an IP address from another country,
then a VPN can provide you this.
►Better performance. Bandwidth and efficiency of the network can be
generally increased once a VPN solution is implemented.
►Reduce costs. Once a VPN network is created, the maintenance cost
is very low. More than that, if you opt for a service provider, the
network setup and surveillance is no more a concern.
►Firewall connection: Your system is often attacked by several
hackers who may possibly misuse your private data. But with VPN
account, the activities won't be on your IP address as your specific IP

54
address will not likely be seen. Your computer is completely secured as
the hackers will attack the VPN server IP. So, the cyber-terrorist will be
confident that they are attacking your home personal computer IP
address, but this IP address will be the business IP address.
►Access from anywhere in the world: Often in gulf countries and
even numerous other countries for instance China, Singapore, Myanmar,
Syria, Yemen, Korea, etc. you ought to deal with numerous limitations.
But with VPN account, you can surf on the internet freely with no
restrictions at all.
►Highest level of security against password thefts: Your VPN
account even safe guards your system from password robbery therefore
allowing you to browse on the web without any strain. However, with
VPN account there is no worry about password theft even if you are
surfing through Wi-Fi connectivity.
Disadvantages of VPN
►Lack of Security:VPN message traffic is carried on public
networking infrastructure e.g. the Internet, or over a service provider's
network, which mean - circulating corporate data —one of your most
valuable assets—on the line (literally). Even though there are many
methods and technologies available to ensure data protection (like
encryption implementation) , the level of concern about Internet security
is quite high and data on transmission is vulnerable to hackers. The use
of VPNs at this moment still require an in-depth understanding of public
network security issues.
►Less Bandwidth than Dedicated Line :The other major
downside of VPNs relates to guaranteeing adequate bandwidth for
the work being done. Every use of internet system consume
bandwidth; the more users there are, the less bandwidth there is for
any single user. Some VPN service providers offer guaranteed

55
bandwidth, and private networks can be built with guaranteed
bandwidth allocations, however, these options will increase the
cost of the system.
►The needs to accomodate protocols other than IP and
existing ("legacy") internal network technology:IP applications
were designed for low-latency, high-reliability networks. An
increasing number of real-time, interactive applications are being
used on the network. Although some applications can be tuned to
allow for increased latency, many of the applications tested cannot
be easily adjusted or cannot be adjusted at all, making the use of
the application problematic.

►others pitfall to consider:

• VPN technologies from different vendors may not work well
together due to different standard compliant or immature
standards.
• VPNs is more prone to Internet connectivity problems.
• The availability and performance of an organization's wide-
area VPN (over the Internet in particular) depends on factors
largely outside of their control.
• Understanding of security issues
• Unpredictable Internet traffic

56
 • Less Bandwidth as compared to Leased Lines
• Difficult to accommodate products from different vendors

Limitations of VPN
Although the VPN Service should enable you to access many restricted
resources from outside the network, it does have some limitations. As a
result of these limitations, we recommend that you use the VPN
connection only when you need to access resources that you would
otherwise be unable to access and that you terminate the connection as
soon as you have finished accessing these resources. Most of the
limitations arise because while the VPN connection is active, the PC
behaves as if it were part of the Oxford University network, and
therefore some resources that are local to it may not be available while
the connection is active. Some particular limitations are listed below.

►If you are making the VPN connection over a dial-up internet
connection that uses a standard modem and phone line, you may find
that some services are very slow. In particular this may be the case if
you are using the full version of OxLIP (as opposed to the web version)
which may take 10 minutes or more just to start up. If you find this to be
the case and you really need access to the full version of OxLIP,
consider increasing the speed of your underlying internet connection,
e.g. by switching to a broadband connection.
►While the VPN connection is active you are unlikely to be able to
print to any printer unless it is directly attached to your PC. To get
around this problem, save or copy information that you require into a file
on your computer and print it once the VPN connection is closed.

57
►If the PC that you are using is connected to a network, make sure that
you close any files that are stored on servers on that network before
making the VPN connection because you will not be able to access them
when the connection is active. If you need to copy or save information
into a file while the connection is active, save the file onto the local hard
disk of the PC, or onto floppy disk, zip disk etc.
►If the PC that you are using is connected to a network and you are
running software that is located on servers on that network rather than
locally on the PC, again you will not be able to access this software
while the VPN connection is active, so we recommend that you close
any such programs before making the connection.
►If you connect to the Internet using a dial-up service, you probably
won't be able to send out e-mail via your service provider while the
connection is active.

►If you are connecting from behind a firewall you may have problems
either establishing the connection in the first place, or you may find that
you can make the connection but then you cannot access anything over
the internet. Please contact OUCS for more information on specific ports
used by the VPN connection.
Study of VPN in NIC
In big organizations such as NIC(National Informatics Centre) VPN services are
used to a great extend .VPN servers are setted in the NIC from where they provide
the VPN service all around the world .The request for the vpn service send to them
by people all around the world and they make them the VPN client .Proper
procedure is being followed in making the VPN client .A Digital Certificate is
being issued to the clients which has an expiry date linked with it and should be
renewed at times .The whole data of the VPN client is maintained in the
organization about the sites they want to access and all.Thus VPN services are
provided to them ,username and password is issued to the vpn client .Thus the
58
clints can securely access the network. NIC looks to all the Problems related to the
VPN services.They have their sites such as www.inoc.nic.in maintained for such
purposes.

FUTURE PROSPECTIVES
VPN in future will be used in more areas like:
►Sales professionals, field technical specialists and others working
from remote offices.
►Employees who are required to frequently work from home.
►Employees whose time spent online exceed an average of 20 hours
per week.
►Executive and key management personnel who frequently need access
from home.
►Support personnel who need remote access to JnJ Network to carry
out business critical activities.
►VPNs are continually being enhanced.

59
 Example: Equant NV
►As the VPN market becomes larger, more applications will be created
along with more VPN providers and new VPN types.
►Networks are expected to converge to create an integrated VPN
►Improved protocols are expected, which will also improve VPNs.

CONCLUSION:

In a nutshell, a VPN is exactly what its name suggests, a pseudo-private

network. Instead of building a SECURED PHYSICAL CONNECTION
directly to the mobile employees (which is a very expensive proposition,
not to mention inflexible), VPN makes use of the VERY PUBLIC and
VERY UNSECURED Internet to connect the employees to the office
securely.
VPNs are increasingly becoming an everyday part of life on the
Internet. Many people use them to gain access to many of the
systems in their offices, such as e-mail and intranets. This trend is
certain to become more popular as many companies are finding it
cheaper for their employees to work from home, relieving them of the
need to lease additional office space.
Site-to-site VPNs will also continue to be deployed as companies, both
small and large find it increasingly necessary to share access to their
business systems. One notable area is in the realm of IP telephony,
where VPNs enable all remote offices to use a single IP switchboard at

60
the center of a VPN hub and spoke network. Intra-office communication
is therefore encrypted and the use of a single switchboard saves costs.
Knowledge of VPNs is now indispensable for systems administrators.
We have seen in this tutorial the two main ways a VPN is used today as
well as the three main protocols that are used. The PPTP protocol is
particularly useful for RoadWarrior connections. L2TP is similar but
also has the ability of encapsulating all types of network traffic and can
therefore route everything, even protocols that normally can not be
routed without encapsulation.
The IPSec protocol is ideal for LAN to LAN tunnels as it offers security
at each layer of the communication. IPSec, with its installation in IPv6,
will become the most widely used tunnelling protocol in both VPN
domains (LAN to LAN and RoadWarrior). One thing that should be
focused on is the encryption that you want to use with your VPN
connection so that your data is encrypted.

VPN is a network that uses public telecommunication infrastructure for

the following purposes:
1. It helps in extent geographic connectivity.
2.It reduces cost of WAN connection.
3.It helps in increasing mobility.
4. It reduces transit time.

61
COLLEGE PROFILE:
B--------- V------------- College of Engineering is an
engineering college located at India. Its parent body is
University, and it shares its infrastructure with Institute
of Computers and management It is affiliated with---------.
It is one of the leading engineering colleges in. The
institute conducts training programme in collaboration
with leading multinational company in the areas of VLSI &
Embedded Systems. The institute also conducts in-plant
training programme for the students in view of the
campus recruitment programmes attempted to match the
aspirations of the future with the expectations of the
corporate sector.
It offers the B.Tech engineering degree in the following
streams:

1. Electronics & Communication Engineering - 120

2. Computer Science & Engineering - 60
3. Information Technology Engineering - 60
4. Electrical & Electronics Engineering - 60
5. Instrumentation & Control Engineering – 60

62
BIBLIOGRAPHY:
2.CISCO’S CCNA all modules for networking information.
3. VIRTUAL PRIVATE NETWORKS:TECHNOLOGIES AND
SOLUTIONS & VIRTUAL PRIVATE NETWORKS:MAKING THE
RIGHT CONNECTION books for VPN related stuff.
http://www.inoc.nic.in
http://www.vpnserver.nic.in
http://www.vpn-info.com/disadvantages_of_vpn.htm
http://en.wikipedia.org/wiki/VPN

63
 INDEX
Topics Page no.
1) ABSTRACT 1
2) INTRODUCTION OF VPN 28
3) HISTORY OF VPN 31
4) DIFFERENT TYPES OF VPN 36
5) TECHNOLOGIES SUPPORTED BY VPN 42
6) PROTOL USED 47
7) ADVANTAGES AND DISADVANTAGES OF VPN
59
8) LIMITATIONS 62
9) FUTURE EXPANSION 65
10) CONCLUSION 66
11)ORGANISATION PROFILE 68
12) COLLEGE PROFILE 73
13)BIBLIOGRAPHY 76

64