Documente Academic
Documente Profesional
Documente Cultură
1
ACKNOWLEDGEMENT
2
ABSTRACT
Students, staff and faculty increasingly connect to the campus
data network via the Internet. The need to access university
resources is likely to increase dramatically with the
implementation of projects such as Sakai, and VPN services
appear to offer solutions to related remote access requirements.
Additionally, VPN services provide a secure method of improving
remote access to licensed material and other university resources
restricted to systems assigned a campus IP address.
The workgroup examined available VPN technology and believes
that SSL VPN solutions reflect a cost-effective and capable VPN
solution for UC Davis. The workgroup recommends Information
and Educational Technology prepare a Request for Information
for an SSL VPN solution. As part of the RFI process, the
workgroup further recommends that IET perform a pilot test using
SSL VPN solution(s) that meet RFI specifications to ensure
product conformity with our requirements for infrastructure and
campus unit services and performance.
The result of examination and successful testing should be a
Request for Quote that permits a phased implementation based
on campus size, but that does not make a commitment beyond an
initial implementation level that includes current library proxy
users and those users who are denied access to university
resources due to network source address restrictions.
3
COMPUTER NETWORKS:
• Introduction
• Network classification
• Types of networks
• Basic hardware components
Introduction:
A computer network is a collection of computers and devices
connected to each other. The network allows computers to
communicate with each other and share resources and
information. The Advanced Research Projects Agency (ARPA) designed
"Advanced Research Projects Agency Network" (ARPANET) for the
United States Department of Defense. It was the first computer network
in the world in late 1960s and early 1970s.
Network classification:
The following list presents categories used for classifying
4
networks
Connection method
Scale
Networks are often classified as Local Area Network (LAN), Wide Area
Network (WAN), Metropolitan Area Network (MAN),
Personal Area Network (PAN), Virtual Private Network (VPN),
Campus Area Network (CAN), Storage Area Network (SAN), etc.
depending on their scale, scope and purpose. Usage, trust levels and
access rights often differ between these types of network – for example,
LANs tend to be designed for internal use by an organization's internal
systems and employees in individual physical locations (such as a
building), while WANs may connect physically separate parts of an
organization to each other and may include connections to third parties.
Network topology
Types of networks
7
reach of a PAN is typically about 20-30 feet (approximately 6-9
meters), but this is expected to increase with technology
improvements.
8
servers) and to connect to the internet. On a wired LAN, PCs in the
library are typically connected by category 5 (Cat5) cable, running the
IEEE 802.3 protocol through a system of interconnected devices and
eventually connect to the Internet. The cables to the servers are typically
on Cat 5e enhanced cable, which will support IEEE 802.3 at 1 Gbit/s. A
wireless LAN may exist using a different IEEE protocol, 802.11b,
802.11g or possibly 802.11n.
The staff computers (bright green in the figure) can get to the color
printer, checkout records, and the academic network and the Internet.
All user computers can get to the Internet and the card catalog. Each
workgroup can get to its local printer. Note that the printers are not
accessible from outside their workgroup.
Typical library network, in a branching tree topology and controlled
access to resources
All interconnected devices must understand the network layer (layer 3),
because they are handling multiple subnets (the different colors). Those
inside the library, which have only 10/100 Mbit/s Ethernet connections
to the user device and a Gigabit Ethernet connection to the central
router, could be called "layer 3 switches" because they only have
Ethernet interfaces and must understand IP. It would be more correct to
call them access routers, where the router at the top is a distribution
router that connects to the Internet and academic networks' customer
access routers.
The defining characteristics of LANs, in contrast to
WANs (wide area networks), include their higher data transfer
rates, smaller geographic range, and lack of a need for leased
telecommunication lines. Current Ethernet or other IEEE 802.3
LAN technologies operate at speeds up to 10 Gbit/s. This is the
9
data transfer rate. IEEE has projects investigating the
standardization of 100 Gbit/s, and possibly 400 Gbit/s.
10
The main aim of a campus area network is to facilitate students
accessing internet and university resources. This is a network that
connects two or more LANs but that is limited to a specific and
contiguous geographical area such as a college campus, industrial
complex, office building, or a military base. A CAN may be considered
a type of MAN (metropolitan area network), but is generally limited to a
smaller area than a typical MAN. This term is most often used to discuss
the implementation of networks for a contiguous area. This should not
be confused with a Controller Area Network. A LAN connects network
devices over a relatively short distance. A networked office building,
school, or home usually contains a single LAN, though sometimes one
building will contain a few small LANs (perhaps one per room), and
occasionally a LAN will span a group of nearby buildings. In TCP/IP
networking, a LAN is often but not always implemented as a single IP
subnet.
11
together but does not extend beyond the boundaries of the
immediate town/city. Routers, switches and hubs are connected to create
a metropolitan area network
12
cross metropolitan, regional, or national boundaries [1]). Less
formally, a WAN is a network that uses routers and public
communications links. Contrast with personal area networks
(PANs), local area networks (LANs), campus area networks
(CANs), or metropolitan area networks (MANs), which are usually
limited to a room, building, campus or specific metropolitan area (e.g., a
city) respectively. The largest and most well-known example of a WAN
is the Internet.
A WAN is a data communications network that covers a relatively broad
geographic area (i.e. one city to another and one country to another
country) and that often uses transmission facilities provided by common
carriers, such as telephone companies. WAN technologies generally
function at the lower three layers of the OSI reference model: the
physical layer, the data link layer, and the network layer.
13
Global area network
15
Intranet
Extranet
Internet
Intranet
An intranet is a set of networks, using the Internet
Protocol and IP-based tools such as web browsers and file transfer
applications, that is under the control of a single administrative entity.
That administrative entity closes the intranet to all but specific,
authorized users. Most commonly, an intranet is the internal network of
an organization. A large intranet will typically have at least one web
server to provide users with organizational information
Extranet
An extranet is a network or internetwork that is limited in scope to a
single organization or entity but which also has limited connections to
the networks of one or more other usually, but not necessarily, trusted
16
organizations or entities (e.g., a company's customers may be given
access to some part of its
intranet creating in this way an extranet, while at the same time the
customers may not be considered 'trusted' from a security
standpoint). Technically, an extranet may also be categorized as a CAN,
MAN, WAN, or other type of network, although, by
definition, an extranet cannot consist of a single LAN; it must have at
least one connection with an external network.
Internet
18
A virtual private network (VPN) is a computer network in which some
of the links between nodes are carried by open connections or virtual
circuits in some larger network (e.g., the Internet) instead of by physical
wires. The link-layer protocols
of the virtual network are said to be tunneled through the larger
network when this is the case. One common application is secure
communications through the public Internet, but a VPN need not have
explicit security features, such as authentication or content encryption.
VPNs, for example, can be used to separate the traffic of different user
communities over an underlying network with strong security features.
A VPN may have best-effort performance, or may have
a defined service level agreement (SLA) between the VPN
customer and the VPN service provider. Generally, a VPN has a
topology more complex than point-to-point.
19
A VPN allows computer users to appear to be editing from an IP address
location other than the one which connects the
actual computer to the Internet.
20
A network card, network adapter or NIC (network interface card) is a
piece of computer hardware designed to allow computers to
communicate over a computer network. It provides physical access to a
networking medium and often provides a lowlevel addressing system
through the use of MAC addresses.
Repeaters
21
A repeater is an electronic device that receives a signal
and retransmits it at a higher power level, or to the other side of an
obstruction, so that the signal can cover longer distances without
degradation. In most twisted pair Ethernet configurations, repeaters are
required for cable which runs longer than 100 meters.
22
Hubs
A hub contains multiple ports. When a packet arrives at one port, it is
copied unmodified to all ports of the hub for transmission. The
destination address in the frame is not changed to a broadcast address.
Bridges
23
A network bridge connects multiple network segments at the data link
layer (layer 2) of the OSI model. Bridges do not promiscuously copy
traffic to all ports, as hubs do, but learn which MAC addresses are
reachable through specific ports. Once the bridge associates a port and
an address, it will send traffic for that address only to that port. Bridges
do send broadcasts to all ports except the one on which the broadcast
was received. Bridges learn the association of ports and addresses by
examining the source address of frames that it sees on various ports.
Once a frame arrives through a port, its source address is stored and the
bridge assumes that MAC address is associated with that port. The first
time that a previously unknown destination address is seen, the bridge
will forward the frame to all ports other than the one on which the frame
arrived.
Bridges come in three basic types:
1. Local bridges: Directly connect local area networks (LANs)
2. Remote bridges: Can be used to create a wide area network
(WAN) link between LANs. Remote bridges, where the connecting link
is slower than the end networks, largely have
been replaced by routers.
3. Wireless bridges: Can be used to join LANs or connect
remote stations to LANs.
Switches
24
A switch is a device that forwards and filters OSI layer 2 datagrams
(chunk of data communication) between ports(connected cables) based
on the MAC addresses in the packets. This is distinct from a hub in that
it only forwards the packets to the ports involved in the communications
rather than all ports connected. Strictly speaking, a switch is not capable
of routing traffic based on IP address (OSI Layer 3) which is necessary
for communicating between network segments or within a large or
complex LAN. Some switches are capable of routing based on IP
addresses but are still called switches as a marketing term. A switch
normally has numerous ports, with the intention being that most or all of
the network is connected directly to the switch, or another switch that is
in turn connected to a switch.
Switch is a marketing term that encompasses routers and bridges, as well
as devices that may distribute traffic on load or by application content
(e.g., a Web URL identifier). Switches may operate at one or more OSI
model layers, including physical, data link, network, or transport (i.e.,
end-to-end). A device that operates simultaneously at more than one of
these layers is called a multilayer switch.
25
Overemphasizing the ill-defined term "switch" often leads to confusion
when first trying to understand networking. Many experienced network
designers and operators recommend starting with the logic of devices
dealing with only one protocol
level, not all of which are covered by OSI. Multilayer device selection is
an advanced topic that may lead to selecting particular implementations,
but multilayer switching is simply not a real world design concept.
Routers
INTRODUCTION
Virtual private network
26
A virtual private network (VPN) is a computer network in which some
of the links between nodes are carried by open connections or virtual
circuits in some larger network (e.g., the Internet) instead of by physical
wires. The link-layer protocols of the virtual network are said to be
tunneled through the larger network when this is the case. One common
application is secure communications through the public Internet, but a
VPN need not have explicit security features, such as authentication or
content encryption. VPNs, for example, can be used to separate the
traffic of different user communities over an underlying network with
strong security features.
DIGITAL CERTIFICATE:
28
• Certificate derived from site / send by mail
Installing the VPN client software:
1. Install setup ‘ windows installer package’ for Windows XP/ 2000
2. For windows 98 the software is available in
http://ftp.ren.nic.in/pub/Cisco/vpn/VPN%20client
%20software/vpnclient-win-is-3-6.6-a-k9.exe
3. Client software is in Zip format. Unzipp it
4. For Linux , the software is available in
http://ftp.ren.nic.in/pub/Cisco/vpn/VPN%20client
%20software/vpnclient-linux-4.6.02003-k9.tar.gz
HISTORY
Until the end of the 1990s the computers in computer networks
connected through very expensive leased lines and/or dial-up phone
lines. It could cost thousands of dollars for 56kbps lines or tens of
thousands for T1 lines, depending on the distance between the
sites.Virtual Private Networks reduce network costs because they avoid
a need for many leased lines that individually connect to the Internet.
Users can exchange private data securely, making the expensive leased
29
lines redundant. The term VPN has been associated in the past with such
remote connectivity services as the public telephone network and Frame
Relay PVCs, but has finally settled in as being synonymous with IP-
based data networking. Before this concept surfaced, large corporations
had expended considerable resources to set up complex private
networks,now commonly called Intranets. These networks were installed
using costly leased line services, Frame Relay, and ATM to incorporate
remote users. For the smaller sites and mobile workers on the
remote end, companies supplemented their networks with remote access
servers or ISDN.At the same time, the small- to medium-sized
enterprises (SMEs), who could not afford
dedicated leased lines, were relegated to low-speed switched services.
As the Internet became more and more accessible and bandwidth
capacities grew,companies began to offload their Intranets to the web
and create what are now known as Extranets to link internal and external
users. However, as cost-effective and quick-todeploy
as the Internet is, there is one fundamental problem – security.
Today’s VPN solutions overcome the security factor. Using special
tunneling protocols and complex encryption procedures, data integrity
and privacy is achieved in what seems,for the most part, like a dedicated
point-to-point connection. And, because these operations occur over a
public network, VPNs can cost
significantly less to implement than privately owned or leased
services.Although early VPNs required extensive expertise to
implement, the technology has matured already to a level that makes its
deployment a simple and affordable solution for businesses of all sizes,
including SMEs who were previously being left out of the e-
revolution.Using the Internet, companies can connect their remote
branch offices, project teams,business partners, and e-customers into the
main corporate network. Mobile workers and telecommuters can get
secure connectivity by dialing into the POP (Point-of-Presence) of a
local ISP (Internet Service Provider). With a VPN, corporations see
immediate costreduction opportunities in their long distance charges
(especially important to global companies), leased line fees, equipment
inventories (like large banks of modems), and
network support requirements.
30
VPN technologies have myriad protocols, terminologies and marketing
influences that define them. For example, VPN technologies can differ
in:
1.The protocols they use to tunnel the traffic
2.The tunnel's termination point, i.e., customer edge or network provider
edge
3.Whether they offer site-to-site or remote access connectivity
4.The levels of security provided
5.The OSI layer they present to the connecting network, such as Layer 2
circuits or Layer 3 network connectivity.
REQUIREMENTS:
Operating System Computer Requirements
Windows 2000 SP4. Computer with a • 5 MB hard disk
space.
Windows XP SP2. Pentium®-class
• RAM:
Windows Vista. processor or
– 128 MB for
Windows 7 greater.
Windows 2000.
In addition, x64 or
– 256 MB for
x86 processors are Windows XP.
supported for – 512 MB for
Windows Vista.
Windows XP and
31
Windows Vista. • Microsoft Installer,
version 3.
Mac OS X, Version Macintosh 50 MB hard disk
10.4 or later computer1 space
32
VPN is that the customer can trust that the provider to provision and
control the VPN. Therefore, no one outside the realm of trust can change
any part of the VPN. Note that some VPNs span more than one provider;
in this case, the customer is trusting the group of providers as if they
were a single provider.
No one other than the trusted VPN provider can change data, inject
data, or delete data on a path in the VPN. A trusted VPN is more than
just a set of paths: it is also the data that flows along those paths.
Although the paths are typically shared among many customers of a
provider, the path itself must be specific to the VPN and no one other
than trusted provider can affect the data on that path. Such a change by
an outside party would affect the characteristics of the path itself, such
as the amount of traffic measured on the path.
The routing and addressing used in a trusted VPN must be
established before the VPN is created. The customer must know what
is expected of the customer, and what is expected of the service
provider, so that they can plan for maintaining the network that they are
purchasing.
Hybrid VPN requirements
The address boundaries of the secure VPN within the trusted VPN
must be extremely clear. In a hybrid VPN, the secure VPN may be a
subset of the trusted VPN, such as if one department in a corporation
runs its own secure VPN over the corporate trusted VPN. For any given
pair of address in a hybrid VPN, the VPN administrator must be able to
definitively say whether or not traffic between those two addresses is
part of the secure VPN.
33
Different Types of VPN
A VPN supports at least three different modes of use:
34
increase productivity and peace of mind by ensuring secure
network access regardless of where an employee physically is.
2. Site to site : Dedicated VPN connection established among
multiple LANs . Each site requires one a local leased/ RF/ ISDN
connection to the local ISPs .
35
that business partners are only able to gain secure access to
specific data / resources, while not gaining access to private
corporate information.
BENEFIT : Businesses enjoy the same policies as a private
network, including security, QoS, manageability, and reliability.
The workgroup found that the following characteristics are necessary for
a successful UC Davis VPN implementation:
4. Security that is not “one size fits all”. The ability to assign remote
users to security zones based on authorization groups is highly desirable
in many circumstances. For example, SSL VPN technology could be
36
used to enhance campus wireless security through the assignment of
users to trusted and untrusted zones depending on their affiliation.
37
availability platform. An active/passive configuration would provide
fail-safe operation if a load balancing active/active configuration was
unaffordable.
38
Technologies Supported by VPNC
The following technologies support the requirements from the previous
section. VPNC supports these technologies when they are implemented
by users themselves and when they are implemented in provider-
provisioned VPNs.
5.1 Secure VPN technologies
IPsec with encryption in either tunnel and transport modes. The
security associations can be set up either manually or using IKE with
either certificates or preshared secrets.
IPsec, short for Internet Protocol Security, can run in either transport
or tunnel mode, each
having significantly different implications particularly with regard to
security — tunnel mode will encrypt both the header information as
well as the data transmitted, whereas transport mode will encrypt only
the data. Keys must be shared by both the sender and recipient in
order to correctly decrypt the transmission.IPsec works at Layer 3, or
the Network Layer of the OSI Model, which enables it to operate
independently of any application. An IPsec VPN reates a tunnel
between two endpoints through which any number of connections and
protocol types (Web, email, file transfer, VoIP) can travel. The
original IP data packet is re-encapsulated so that all application
protocol information is hidden during the actual transmission of the
data. A typical deployment will consist of one or more VPN gateways
to the secured networks. Special VPN client software must be
installed on each remote access user’s computer, and each VPN client
must be configured to define which packets should be encrypted and
which gateway is to be used for the VPN tunnel. Once connected, the
client becomes a full member of the secured network, able to see and
39
access everything just as if that system was actually physically
connected to the network.
IPsec and SSL each have their own advantages, so what is “better” may
often come down to what is most suited for your network, but many
40
organizations are increasingly turning to SSL VPNs for the additional
benefits available.
41
In MPLS, the IP packets are encapsulated with these labels by the
first MPLS device they encounter as they enter the network. The
MPLS edge router analyses the contents of the IP header and selects
an appropriate label with which to encapsulate the packet. Part of the
great power of MPLS comes from the fact that, in contrast to
conventional IP routing, this analysis can be based on more than just
the destination address carried in the IP header. At all the subsequent
nodes within the network the MPLS label, and not the IP header, is
used to make the forwarding decision for the packet. Finally, as
MPLS labeled packets leave the network, another edge router
removes the labels.
In MPLS terminology, the packet handling nodes or routers are called
Label Switched Routers (LSRs). The derivation of the term should be
obvious; MPLS routers forward packets by making switching
decisions based on the MPLS label. This illustrates another of the key
concepts in MPLS. Conventional IP routers contain routing tables
which are looked up using the IP header from a packet to decide how
to forward that packet. These tables are built by IP routing protocols
(e.g., RIP or OSPF) which carry around IP reachability information in
the form of IP addresses. In practice, we find that forwarding (IP
header lookup) and control planes (generation of the routing tables)
are tightly coupled. Since MPLS forwarding is based on labels it is
possible to cleanly separate the (label-based) forwarding plane from
the routing protocol control plane. By separating the two, each can be
modified independently. With such a separation, we don't need to
change the forwarding machinery, for example, to migrate a new
routing strategy into the network.
There are two broad categories of LSR. At the edge of the network,
we require high performance packet classifiers that can apply (and
remove) the requisite labels: we call these MPLS edge routers. Core
LSRs need to be capable of processing the labeled packets at
extremely high bandwidths.
This is an abstract of the MPLS article contained in techguide.com.
The complete article examines MPLS and the opportunities it offers
to users and also to the service providers who are designing and
42
engineering the next generation of IP networks. It also describes why
new carrier-class edge devices will become a key component in the
provisioning of future network services.
Technologies for trusted layer 3 VPNs include:
• MPLS with constrained distribution of routing information
through BGP, as described in RFC 4364 and other related Internet
Drafts.
It is widely assumed that both will become standards in the future. Also,
the service provider industry has not embraced one of these technologies
much more strongly than the other.
5.3 Hybrid VPN technologies
• Any supported secure VPN technologies running over any
supported trusted VPN technology.
It is important to note that a hybrid VPN is only secure in the parts that
are based on secure VPNs. That is, adding a secure VPN to a trusted
VPN does not increase the security for the entire trusted VPN, only to
the part that was directly secured. The secure VPN acquires the
advantages of the trusted VPN, such as having known QoS features.
Protocols Used
The protocol incorporates three major components: the
Authentication Header (AH), Encapsulating Security Payload
(ESP), and Internet Key Exchange (IKE).
VPN Tunneling Protocols
43
Several computer network protocols have been implemented
specifically for use with VPN tunnels. The three most popular
VPN tunneling protocols listed below continue to compete with
each other for acceptance in the industry. These protocols are
generally incompatible with each other.
Point-to-Point Tunneling Protocol (PPTP)
44
A PPP frame (an IP datagram, an IPX datagram, or a NetBEUI frame) is
wrapped with a Generic Routing Encapsulation (GRE) header and an IP
header. In the IP header is the source and destination IP address that
correspond to the VPN client and VPN server.
PPTP PACKET
45
• PPTP control connection, where the user creates a PPTP
connection to the VPN server and negotiates the tunnel
characteristics.
The original competitor to PPTP for VPN tunneling was L2F, a protocol
implemented primarily in Cisco products. In an attempt to improve on
L2F, the best features of it and PPTP were combined to create a new
standard called L2TP. Like PPTP, L2TP exists at the data link layer
(Layer Two) in the OSI model -- thus the origin of its name. Jointly
developed by Cisco, Microsoft, and 3Com, L2TP promised to replace
PPTP as a major tunneling protocol. It is essentially a combination of
PPTP and Cisco Layer Two Forwarding (L2F), merging both into a
single standard. L2TP is used to tunnel PPP over a public IP network.
46
It relies on PPP to establish a dial-in connection using PAP or CHAP
authentication but, unlike PPTP, L2TP defines its own tunneling
protocol. Because L2TP works on Layer 2, the non-IP protocols can be
transported through the tunnel, yet it will work on any Layer 2 media,
such as ATM, Frame Relay, or 802.11. The protocol does not offer
encryption by itself, but it can be used in conjunction with the other
protocols or application-layer encryption mechanisms to provide for
security needs.
Internet Protocol Security (IPsec)
47
packet of a data stream. IPsec also includes protocols for establishing
mutual authentication between agents at the beginning of the session and
negotiation of cryptographic keys to be used during the session. IPsec
can be used to protect data flows between a pair of hosts (e.g. computer
users or servers), between a pair of security gateways (e.g. routers or
firewalls), or between a security gateway and a host.
48
• A security association (SA) is set up by Internet Key Exchange
(IKE and IKEv2) or Kerberized Internet Negotiation of Keys
(KINK) by handling negotiation of protocols and algorithms and to
generate the encryption and authentication keys to be used by
IPsec.
• Authentication Header (AH) to provide connectionless integrity and
data origin authentication for IP datagrams and to provide
protection against replay attacks.
• Encapsulating Security Payload (ESP) to provide confidentiality,
data origin authentication, connectionless integrity, an anti-replay
service (a form of partial sequence integrity), and limited traffic
flow confidentiality.
Modes of operation
Transport mode
In transport mode, only the payload (the data you transfer) of the IP
packet is encrypted and/or authenticated. The routing is intact, since
the IP header is neither modified nor encrypted; however, when the
authentication header is used, the IP addresses cannot be translated,
as this will invalidate the hash value. The transport and application
layers are always secured by hash, so they cannot be modified in
49
any way (for example by translating the port numbers). Transport
mode is used for host-to-host communications.
Tunnel mode
50
GRE
51
via the GRE tunnel interface remains in effect even though the GRE
tunnel packets do not reach the other end of the tunnel.
52
network.They are also used in field service management and by
healthcare organizations, among other industries.
53
Advantages of VPN
►Enhanced security. When you connect to the network through a
VPN, the data is kept secured and encrypted. In this way the information
is away from hackers’ eyes.
►Remote control. In case of a company, the great advantage of having
a VPN is that the information can be accessed remotely even from home
or from any other place. That’s why a VPN can increase productivity
within a company.
►Share files. A VPN service can be used if you have a group that needs
to share files for a long period of time.
►Online anonymity. Through a VPN you can browse the web in
complete anonymity. Compared to hide IP software or web proxies, the
advantage of a VPN service is that it allows you to access both web
applications and websites in complete anonymity.
►Unblock websites & bypass filters. VPNs are great for accessing
blocked websites or for bypassing Internet filters. This is why there is an
increased number of VPN services used in countries where Internet
censorship is applied.
►Change IP address. If you need an IP address from another country,
then a VPN can provide you this.
►Better performance. Bandwidth and efficiency of the network can be
generally increased once a VPN solution is implemented.
►Reduce costs. Once a VPN network is created, the maintenance cost
is very low. More than that, if you opt for a service provider, the
network setup and surveillance is no more a concern.
►Firewall connection: Your system is often attacked by several
hackers who may possibly misuse your private data. But with VPN
account, the activities won't be on your IP address as your specific IP
54
address will not likely be seen. Your computer is completely secured as
the hackers will attack the VPN server IP. So, the cyber-terrorist will be
confident that they are attacking your home personal computer IP
address, but this IP address will be the business IP address.
►Access from anywhere in the world: Often in gulf countries and
even numerous other countries for instance China, Singapore, Myanmar,
Syria, Yemen, Korea, etc. you ought to deal with numerous limitations.
But with VPN account, you can surf on the internet freely with no
restrictions at all.
►Highest level of security against password thefts: Your VPN
account even safe guards your system from password robbery therefore
allowing you to browse on the web without any strain. However, with
VPN account there is no worry about password theft even if you are
surfing through Wi-Fi connectivity.
Disadvantages of VPN
►Lack of Security:VPN message traffic is carried on public
networking infrastructure e.g. the Internet, or over a service provider's
network, which mean - circulating corporate data —one of your most
valuable assets—on the line (literally). Even though there are many
methods and technologies available to ensure data protection (like
encryption implementation) , the level of concern about Internet security
is quite high and data on transmission is vulnerable to hackers. The use
of VPNs at this moment still require an in-depth understanding of public
network security issues.
►Less Bandwidth than Dedicated Line :The other major
downside of VPNs relates to guaranteeing adequate bandwidth for
the work being done. Every use of internet system consume
bandwidth; the more users there are, the less bandwidth there is for
any single user. Some VPN service providers offer guaranteed
55
bandwidth, and private networks can be built with guaranteed
bandwidth allocations, however, these options will increase the
cost of the system.
►The needs to accomodate protocols other than IP and
existing ("legacy") internal network technology:IP applications
were designed for low-latency, high-reliability networks. An
increasing number of real-time, interactive applications are being
used on the network. Although some applications can be tuned to
allow for increased latency, many of the applications tested cannot
be easily adjusted or cannot be adjusted at all, making the use of
the application problematic.
56
• Less Bandwidth as compared to Leased Lines
• Difficult to accommodate products from different vendors
Limitations of VPN
Although the VPN Service should enable you to access many restricted
resources from outside the network, it does have some limitations. As a
result of these limitations, we recommend that you use the VPN
connection only when you need to access resources that you would
otherwise be unable to access and that you terminate the connection as
soon as you have finished accessing these resources. Most of the
limitations arise because while the VPN connection is active, the PC
behaves as if it were part of the Oxford University network, and
therefore some resources that are local to it may not be available while
the connection is active. Some particular limitations are listed below.
►If you are making the VPN connection over a dial-up internet
connection that uses a standard modem and phone line, you may find
that some services are very slow. In particular this may be the case if
you are using the full version of OxLIP (as opposed to the web version)
which may take 10 minutes or more just to start up. If you find this to be
the case and you really need access to the full version of OxLIP,
consider increasing the speed of your underlying internet connection,
e.g. by switching to a broadband connection.
►While the VPN connection is active you are unlikely to be able to
print to any printer unless it is directly attached to your PC. To get
around this problem, save or copy information that you require into a file
on your computer and print it once the VPN connection is closed.
57
►If the PC that you are using is connected to a network, make sure that
you close any files that are stored on servers on that network before
making the VPN connection because you will not be able to access them
when the connection is active. If you need to copy or save information
into a file while the connection is active, save the file onto the local hard
disk of the PC, or onto floppy disk, zip disk etc.
►If the PC that you are using is connected to a network and you are
running software that is located on servers on that network rather than
locally on the PC, again you will not be able to access this software
while the VPN connection is active, so we recommend that you close
any such programs before making the connection.
►If you connect to the Internet using a dial-up service, you probably
won't be able to send out e-mail via your service provider while the
connection is active.
►If you are connecting from behind a firewall you may have problems
either establishing the connection in the first place, or you may find that
you can make the connection but then you cannot access anything over
the internet. Please contact OUCS for more information on specific ports
used by the VPN connection.
Study of VPN in NIC
In big organizations such as NIC(National Informatics Centre) VPN services are
used to a great extend .VPN servers are setted in the NIC from where they provide
the VPN service all around the world .The request for the vpn service send to them
by people all around the world and they make them the VPN client .Proper
procedure is being followed in making the VPN client .A Digital Certificate is
being issued to the clients which has an expiry date linked with it and should be
renewed at times .The whole data of the VPN client is maintained in the
organization about the sites they want to access and all.Thus VPN services are
provided to them ,username and password is issued to the vpn client .Thus the
58
clints can securely access the network. NIC looks to all the Problems related to the
VPN services.They have their sites such as www.inoc.nic.in maintained for such
purposes.
FUTURE PROSPECTIVES
VPN in future will be used in more areas like:
►Sales professionals, field technical specialists and others working
from remote offices.
►Employees who are required to frequently work from home.
►Employees whose time spent online exceed an average of 20 hours
per week.
►Executive and key management personnel who frequently need access
from home.
►Support personnel who need remote access to JnJ Network to carry
out business critical activities.
►VPNs are continually being enhanced.
59
Example: Equant NV
►As the VPN market becomes larger, more applications will be created
along with more VPN providers and new VPN types.
►Networks are expected to converge to create an integrated VPN
►Improved protocols are expected, which will also improve VPNs.
CONCLUSION:
60
the center of a VPN hub and spoke network. Intra-office communication
is therefore encrypted and the use of a single switchboard saves costs.
Knowledge of VPNs is now indispensable for systems administrators.
We have seen in this tutorial the two main ways a VPN is used today as
well as the three main protocols that are used. The PPTP protocol is
particularly useful for RoadWarrior connections. L2TP is similar but
also has the ability of encapsulating all types of network traffic and can
therefore route everything, even protocols that normally can not be
routed without encapsulation.
The IPSec protocol is ideal for LAN to LAN tunnels as it offers security
at each layer of the communication. IPSec, with its installation in IPv6,
will become the most widely used tunnelling protocol in both VPN
domains (LAN to LAN and RoadWarrior). One thing that should be
focused on is the encryption that you want to use with your VPN
connection so that your data is encrypted.
61
COLLEGE PROFILE:
B--------- V------------- College of Engineering is an
engineering college located at India. Its parent body is
University, and it shares its infrastructure with Institute
of Computers and management It is affiliated with---------.
It is one of the leading engineering colleges in. The
institute conducts training programme in collaboration
with leading multinational company in the areas of VLSI &
Embedded Systems. The institute also conducts in-plant
training programme for the students in view of the
campus recruitment programmes attempted to match the
aspirations of the future with the expectations of the
corporate sector.
It offers the B.Tech engineering degree in the following
streams:
62
BIBLIOGRAPHY:
2.CISCO’S CCNA all modules for networking information.
3. VIRTUAL PRIVATE NETWORKS:TECHNOLOGIES AND
SOLUTIONS & VIRTUAL PRIVATE NETWORKS:MAKING THE
RIGHT CONNECTION books for VPN related stuff.
http://www.inoc.nic.in
http://www.vpnserver.nic.in
http://www.vpn-info.com/disadvantages_of_vpn.htm
http://en.wikipedia.org/wiki/VPN
63
INDEX
Topics Page no.
1) ABSTRACT 1
2) INTRODUCTION OF VPN 28
3) HISTORY OF VPN 31
4) DIFFERENT TYPES OF VPN 36
5) TECHNOLOGIES SUPPORTED BY VPN 42
6) PROTOL USED 47
7) ADVANTAGES AND DISADVANTAGES OF VPN
59
8) LIMITATIONS 62
9) FUTURE EXPANSION 65
10) CONCLUSION 66
11)ORGANISATION PROFILE 68
12) COLLEGE PROFILE 73
13)BIBLIOGRAPHY 76
64