Virtual Private Networks A Technology OverviewWhat is a Virtual Private Network?
A Virtual Private Network (VPN) is a network that uses the Internet or other network service as its Wide Area Network (WAN) backbone. In a VPN, dial-up connections to remote users and leased line or Frame Relay connections to remote sites are replaced by local connections to an Internet service provider (ISP) or other service provider's point of presence (POP). A VPN allows a private intranet to be securely extended across the Internet or other network service, facilitating secure e-commerce and extranet connections with business partners, suppliers and customers.There are three main types of VPN:
VPNs Based on IP Tunnels
VPNs based on IP tunnels encapsulate a data packet within a normal
IP packet for forwarding over an IP-based network. The encapsulated packet
does not need to be IP, and could in fact be any protocol such as IPX,AppleTalk,
SNA or DECnet. The encapsulated packet does not need to be encrypted and
authenticated; however, with most IP based VPNs, especially those running
over the public Internet, encryption is used to ensure privacy and authentication
to ensure integrity of data. VPNs based on IP tunnels are mainly self deployed;
users buy connections from an ISP and install VPN equipment which they
configure and manage themselves, relying on the ISP only for the physical
connections. VPN services based on IP tunnels are also provided by ISPs,
service providers and other carriers. These are usually fully managed services
with options such as Service Level Agreements (SLAs) to ensure Quality
of Service (QoS). A Ten Point Plan for Building a VPN shows some of the
steps taken when deploying an Internet-based VPN.
The following diagram shows an Internet-based VPN that uses secure IP
tunnels to connect remote clients and devices (Figure 2).
VPNs based on IP tunnels provide the following benefits:
VPNs Based on ISDN, Frame Relay or ATM
VPNs based on ISDN, Frame Relay or ATM connections are very different
from VPNs based on IP tunnels. This type of VPN uses public switched data
network services and uses ISDN B channels, PVCs, or SVCs to separate traffic
from other users. Single or multiple B channels, PVCs, or SVCs may be used
between sites with additional features such as backup and bandwidth on
demand. Data packets do not need to be IP, nor do they need to be encrypted.
Due to more wide-spread awareness about security issues, however, many
users now choose to encrypt their data. The following diagram shows a carrier-based
VPN that uses ISDN B channels and Frame Relay PVCs to connect remote clients
and devices (Figure 3).
VPNs based on public switched data networks are usually provided by
service providers and other carriers, and may or may not provide fully
managed services. In most cases, additional services such as QoS options
are available. This type of VPN is likely to become particularly popular
in Europe, where public switched data networks are widely available and
business use of the Internet is less developed. The main benefits of VPNs
based on ISDN, Frame Relay or ATM connecstions include the following:
A Note About the Term "VPN"
The term VPN is used for many different services, including remote
access, data, fax, and voice over IP (VoIP). The other sections in this
discussion are concerned with just two types of VPN service: remote access
and intranet. However, much of the discussion on intranet QoS requirements
is relevant to multimedia, including VoIP.
VPN Benefits
VPNs offer considerable cost savings over traditional solutions(Figure
4).
Find out how much you could save. VPNs cost considerably less than
traditional leased line, Frame Relay or other services, because long-distance
connections are replaced with local connections to an ISP's point of presence
(POP), or local connections to a service provider or carrier network.
Reduced Costs
VPNs offer the network manager a way to reduce the overall operational
cost of wide area networking through reduced telecom costs. In the case
of a managed VPN service, the savings can be greater as the ISP or service
provider manages the WAN equipment, allowing fewer networking staff to
manage the security aspects of the VPN. In many cases, implementing a VPN
also means that more use is made of an existing dedicated Internet connection.
Flexibility
VPNs based on IP tunnels, particularly Internet-based VPNs, also allow
greater flexibility when deploying mobile computing, telecommuting and
branch office networking. Many corporations are continuing to experience
explosive growth in the demand for these services. VPNs provide a low-cost
and secure method of linking these sites into the enterprise network. Due
to the ubiquitous nature of ISP services, it is possible to link even the
most remote users or branch offices into the network.
Examples
The following examples, based on real-life costs, show how you can
make significant savings by implementing VPN-based solutions. The first
example shows the cost of a dial up VPN service compared to a traditional
remote access solution, while the second example shows the cost of an intranet
VPN solution compared to a traditional WAN solution. The final example
shows the costs of an international VPN service based on an encrypted 128
Kbps Frame Relay connection compared to a 64 Kbps dedicated leased line.
Example 1—Dial VPN Versus Traditional Remote Access
There are two areas where savings can be made with a dial VPN solution
compared to a traditional remote access solution:
In most European countries, however, this is not the case and a remote access solution based on ISDN may actually be cheaper than a dial VPN solution. In many European countries, ISDN tariffs are low, and extensive use of time cutting, protocol spoofing and filtering can dramatically reduce ISDN costs. See Cabletron's ISDN and Telesaving white paper for more details.
Moving to a dial VPN solution means that each remote user requires an
ISP account, and the POPs must be local to the majority of the users. The
cost benefits might not be as compelling if users are switched to an ISP
account with a flat monthly rate but then must
incur long distance call charges to connect to the ISP's nearest POP.
Example 2—Intranet VPN Versus Leased Line and Frame Relay
There are two areas where savings can be made with an intranet VPN
solution compared to a traditional WAN solution:
Based on a cost comparison alone, the reasons for moving to an intranet VPN are compelling. However, a traditional WAN based on leased lines or Frame Relay provides guaranteed levels of Quality of Service (QoS). Replacing a traditional WAN between branch offices and central sites with an intranet VPN is unlikely to give the same levels of performance and QoS to users unless the service provider is able to give throughput and latency guarantees as part of a Service Level Agreement (SLA). See Quality of Service for more information about QoS and SLAs.
Example 3—International VPN Versus International Connections
The savings are particularly evident in the cost of international connections.
A 128 Kbps VPN link between London and Tokyo provided by an international
ISP costs around $20,000 per year, while a 64-Kbps leased line provided
by a traditional carrier can easily cost around $160,000 per year. Even
an international VPN service based on Frame Relay provided by a traditional
carrier costs around a third of the cost of the 64 Kbps dedicated leased
line.
Internet VPNs
VPNs based on the Internet are becoming widely available, especially
as an alternative for dial-up remote access. Generally when people talk
about VPNs, they implicitly mean an Internet-based network as an alternative
to a private network based on public network services such as T1 leased
lines or Frame Relay. The Internet has become so ubiquitous and Internet
service providers (ISPs) so numerous that it is now possible to obtain
connections in all but the most remote locations. Most counties worldwide
now have ISPs offering connections to the Internet, although some countries
still restrict access. So it is possible for many organizations, both large
and small, to consider the Internet not just for external communication
with customers, business partners and suppliers, but for internal communications
as well using a VPN (Figure 7).
Internet-based VPNs can be used to outsource remote access with significant cost savings and greater flexibility. Modem racks, remote access servers and the other equipment necessary to service the needs of remote and mobile users can be replaced with a managed service provided by an ISP (see Remote Access VPNs).
While Internet VPNs are suitable for remote access needs, there are still problems to overcome before moving to a full intranet VPN solution.Although most VPN products now offer adequate levels of security, the issue of Quality of Service (QoS) and Service Level Agreements (SLAs) remains.While most VPN service providers can offer guarantees for connectivity and uptime, few can offer adequate throughput and latency guarantees. In addition, there are few agreements between ISPs, so unless you can use a single ISP's IP backbone for all your connections, you are likely to suffer service degradation where connections cross boundaries between ISPs. Most users will not want to give up the levels of service currently offered by leased lines, Frame Relay or ATM networks for something inferior. However, in the long term these problems will be overcome, and Internet-based VPNs will become much more widespread for intranet as well as remote access. In a few years, global VPN services based on the Internet will become as cost-effective and as highly available as global Frame Relay and other public network services.
Public Network VPNs
Public networks such as ISDN, Frame Relay and ATM can carry mixed data
types including voice, video and data. They can also be used to provide
VPN services by using B channels, Permanent Virtual Circuits (PVCs) or
Switched Virtual Circuits (SVCs) to separate traffic from other users (Figure
8).
Optionally, authentication and encryption can be used where the identity
of users and the integrity of data needs to be guaranteed. Using PVCs,
SVCs or B channels makes it easier to provide additional bandwidth or backup
when needed. The traffic shaping capabilities of Frame Relay and ATM can
be used to provide different levels of QoS, and because these services
are based on usage, there is significant opportunity to reduce telecom
costs even further by using bandwidth optimization features.
Frame Relay in particular has become a popular, widespread and relatively
low-cost networking technology that is also suitable for VPNs. Running
VPNs over a Frame Relay network allows expensive dedicated leased lines
to be replaced and makes use of Frame Relay's acknowledged strengths, including
bandwidth on demand, support for variable data rates for bursty traffic,
and switched as well as permanent virtual circuits for any-to-any connectivity
on a per-call basis. Frame Relay's ability to handle bursty traffic and
built-in buffering means that it makes optimum use of available bandwidth,
something that is important in a VPN environment where latency and performance
are concerns. Frame Relay can be used to create a VPN in two ways:
By creating a mesh of Frame Relay connections between sites. These
connections are essentially point-to- point links and are similar in concept
to dedicated leased lines. Data is kept separate from other Frame Relay
users as each connection uses a separate virtual circuit.
By using IP tunnels over Frame Relay connections between sites. As
above, these connections are essentially point-to-point links similar in
concept to dedicated leased lines and each connection uses a separate virtual
circuit. However, several separate IP tunnels can be run over each connection,
and each tunnel can be encrypted and authenticated to provide additional
security.
Frame Relay is an end-to-end protocol that can be run over a variety
of access technologies, such as ISDN, DSL (Digital Subscriber Loop), and
even POTS dial-up lines. New access methods such as switched virtual circuits
(SVCs), ISDN access and backup mean that Frame Relay is now a much more
reliable and cost-effective solution. Frame Relay can also run over, and
interoperate with,ATM backbones, making it one of the most widely available
public data networking services worldwide. As a result, major service providers
and carriers have created global Frame Relay networks which are cost-effective
and offer high availability. When coupled with tunneling, encryption and
authentication, these attributes make Frame Relay an ideal candidate for
global VPN services.
Remote Access VPNs
Remote access VPNs (Figure 9) are rapidly replacing traditional
remote access solutions as they are more flexible and cost less.
Remote access refers to the ability to connect to a network from a distant location. A remote access client system connects to a network access device, such as a network server or access concentrator. When logged in, the client system becomes a host on the network. Typical remote access clients might be:
We can divide remote access connections into two groups: local dial
and long-distance dial. For traditional, private, remote access networks,
local-area users connect using a variety of telecommunication data services.
Remote access long-distance users rarely have a choice other than modem
access over telephone networks. The aggregation devices that the clients
connect to typically use channelized leased line and primary-rate ISDN,
offering dedicated, circuit switched access.
With VPNs, local area users typically have a wider range of data services to choose from, regardless of the support at the enterprise or central site VPN equipment. However, long-distance connections are currently via modem access. What VPN carriers currently offer corporations are "Work Globally, Dial Locally" services. The VPN equipment will use high-speed leased lines to the nearest POP of the chosen VPN carrier and all remote access traffic can be aggregated or routed as IP datagrams over this single link.
Advantages of Remote Access VPNs over Traditional Direct-Dial
Remote Access
Most of the disadvantages listed here refer to Internet-based VPNs and
solutions will be available on VPN-focused carriers. Possible disadvantages
of VPN remote access include the following:
Advantages of Intranet VPN Solutions
Possible disadvantages of intranet VPN include the following:
There are a number of issues, both technological and practical, that
need to be overcome before you can implement a VPN. Here are some of these
issues.
For a VPN to function successfully, it must provide a number of essential
features—in particular, features that solve the problems that stem from
routing private data across a shared public network. The main features
are discussed here.
Security
Since a VPN is a shared-access, routed network, security is the main
area of concern. It will require the use of encryption, secure key exchange/re-keying,
session and per-packet authentication, security negotiation, private address
space confidentiality, complex filtering, and a host of other precautions.
Performance and Quality of Service (QoS)
IP datagrams sent across the VPN carrier service may experience packet
loss (silent discards) and packet reordering.
Packet loss tends to be greatly increased by stateful algorithms designed
for point-to-point reliable links, for example, PPP compression and encryption
algorithms. Throughput may also vary from POP to POP, country to country,
and even hour to hour.
Reordering will cause problems for some LAN protocols, for example,
when running bridging over a VPN.
Monitoring Actual Throughput
In the absence of Quality of Service guarantees from the VPN carriers,
mechanisms are required to allow performance monitoring of tunnels.
Preventing Denial of Service Attacks
Being connected to a public network, the VPN receive-data path can
be clogged by unsolicited data to such an extent that no useful business
can be achieved. Unlike a private leased line, traffic that is not from
the peer remote site (tunnel end-point) can flood down the receive path
of a VPN tunnel from anywhere on the public network. For client-based tunnels,
there are no services currently.
In the case where the VPN carrier is providing the tunnel, the VPN
carrier could offer to filter non-VPN traffic, or perhaps provide a bandwidth
reservation service. For the L2TP VPN carrier-based approach, the client
is protected by the fact that it is not reachable via the public network,
as no global address is assigned
Scalability
The term scalability refers to how well a system can adapt to increased
demands. A scalable network system is one that can start with just a few
nodes but can easily expand to thousands of nodes. Scalability can be a
very important feature because it means that you can invest in a system
with confidence that you won't outgrow it. If VPN carriers are to succeed
in VPN deployment, the technologies they use need to scale easily. The
VPN customer will also require this at larger Security Gateway sites. Enterprises
will need to consider:
Flexibility
To offer a "go anywhere"VPN service,VPN carriers are keen to provide
a service that can support all protocols and all data links (e.g. PPP over
anything).
Telesaving
Telesaving means making cost-effective use of WAN data services. Telesaving
is appropriate to all WAN links, but is particularly useful for "pay-as-you-use"
data services, for example, ISDN. For clients using this type of service
to access the VPN carrier network—and from there, a tunnel server—telesaving
needs to be performed from a central site (an Enterprise Security Gateway)
for data links that are connected indirectly via the VPN carrier network.
New, VPN-specific, telesaving features will be needed to take advantage
of the possibility of cheap bandwidth via a VPN link, while maintaining
some layer of service using more expensive, private data links when needed.
Bandwidth Reservation and Quality of Service (QoS)
Bandwidth reservation and Quality of Service (QoS) refers to the ability
to "reserve" transmission bandwidth on a network connection for particular
classes of traffic or particular users. It allocates percentages of total
connection bandwidth for specified traffic classes or users, which have
given priority levels assigned to them. A bandwidth reservation algorithm
is used to decide which packets to drop when there is too much network
traffic for the available bandwidth.
Given a fixed capacity VPN WAN link (say a T1), it is desirable to
reserve bandwidth outbound (and inbound if possible) on a per user (remote
access) or per remote LAN basis.There are, however, some questions about
how bandwidth reservation can be accomplished over tunnels. For outbound
reservation, the Security Gateway could implement transmit priority queues,
but inbound reservation requires the assistance of the VPN carrier.
Some possibilities for inbound reservation are:
High-Performance Routing Issues
With encryption being used from intranet or host-to-host, the nature
of IP-switching filters changes. For IP-switching (L3 switching) to function
on encrypted data flows, it may need to understand the IPSec and L2TP standards.
For example, the definition of a flow may need to make use of the IPSec
protocol headers to identify a communication stream. As an example, it
may be possible to trigger on the SPI field of the ESP header used in IPSec
as a means of identifying a stream. For L3 switches that terminate secure
tunnels, no fast forwarding is possible since the encrypted IP packet needs
to be reconstituted before being forwarded. There is also the extra load
of decrypting/encrypting for these secure tunnels. In time,encryption (and
compression) will be present in all hosts and there will be less need for
routers to terminate secure tunnels-allowing switching based on tunnel
header information and requiring no encryption/decryption horsepower. Work
to redefine the TOS field of IP packets as part of DiffServ may deliver
the means to reinstate traffic prioritization in L3 switches for secure
data flows.
Quality of Service
What Quality of Service can you expect from your VPN service provider
and how can you measure what you are getting? Most data services, such
as Frame Relay, provide guarantees for uptime and availability, as well
as throughput and response time. These guarantees, or Quality of Service
(QoS) metrics, are defined in the Service Level Agreement (SLA) with your
service provider.
While most managed VPN services provide a certain level of guaranteed
uptime and availability, many do not provide comparable performance and
latency guarantees, nor do they offer throughput guarantees. There are
several different schemes used to provide Quality of Service, some of which
have been developed specifically with a particular technology or protocol
in mind, such as Ethernet or ATM. Other schemes are specific to the IP
protocol and are being developed by the IETF. Examples of different QoS
schemes are:
SLA Checklist
Here are some things to ask your service provider about SLAs:
VPN Futures
VPNs are only just starting to be deployed. Once VPNs are in wide use, they provide the opportunity to integrate other types of communication such as multimedia and Voice over IP (VoIP).
The primary concern for VPNs will always be security. However, once VPN products are widely available, the focus will fall more and more on delivering quality of service (QoS) and class of service (CoS) over IP networks as part of a VPN. As voice and data services merge into one (voice over IP, IP fax), new network services are being developed to offer the QoS/CoS required for data, telephony and fax. (For more information about QoS see Quality of Service and SLAs.) As products develop to take advantage of this opportunity, all communication devices will become IP addressable, providing voice, fax, video and data to the desktop.All of these services can make use of VPN security protocols.
Name servers could become very useful for configuring and reconfiguring VPNs. If the routers in a complex intranet VPN network were to make use of name servers to locate peer routers, then these networks could be reconfigured simply by changing the name-to-address mapping. Work is in progress to extend the use of DNS servers to provide a secure (IP Security-based) mechanism for routers to find peer routers and clients to find servers.
Next Generation VPN Carriers
New VPN carriers are emerging to take advantage of the new markets,
and traditional telecommunications providers see that the aggregation possible
with routed networks makes good sense for remote access data, as it reduces
the strain on long-haul dial services as well.
New 'last-mile' technologies like Digital Subscriber Loop (DSL) deliver a means for the phone companies to provide high bandwidth IP access over existing cabling (twisted-pair copper). Cable companies also offer the potential to deliver high bandwidth IP access over existing and new cable infrastructure. As the phone and cable companies become familiar with delivering IP services, these new last-mile technologies put them in a good position to acquire a significant share of the Internet access and VPN markets.
New providers are focussing on providing VPN services. A popular technique is to build an ATM or Frame Relay backbone and then offer VPN links with guarantees on throughput and latency to enable customers to outsource remote access, site-to-site and even interoffice fax and voice.These networks are well placed to offer everything from voice to site-to-site by making use of the quality of service options inherent in ATM and Frame Relay networks.
To offer global services to a VPN customer with global data needs, consortiums
of VPN carriers are forming to offer a uniform service internationally.
Many of these services are based on ATM and Frame Relay, although new IP
based services are becoming available.
VPNs and Voice/Data Convergence
Companies today use different communications infrastructure to
provide their voice, data and Internet connectivity needs. On the voice
side, components include a PABX, key system or Centrex service with features
such as voice mail and automated attendant. Computer Telephony Integration
(CTI) applications may also be used to link voice capabilities with data
applications (Figure 11).
On the data side, LAN infrastructure is typically provided by a stackable
or chassis based hub with multiple 10/100 Ethernet segments. WAN connectivity
is typically provided by a router using leased lines or Frame Relay, with
Internet connections for e-mail and web browsing provided via a separate
firewall connection.
Companies that use a variety of data and voice services to meet their
communication needs will find new alternatives becoming available that
offer direct and indirect cost savings. New customer-premises routers are
now appearing that act as both Security Gateways and Multimedia Gateways.
These Multiservice Routers integrate a number of LAN and WAN capabilities
such as hub and routing functions, and also support new applications such
as Voice Over IP (VoIP), IP-fax, Internet access (browsing, publishing,
e-mail, e-commerce) as well as VPN traffic over a single local-loop link
to a service provider POP.
(Figure 12)
An initial investment in web access and web publishing may well be
the starting point for a company that wishes to take advantage of VPN services.
For the move from web publishing and e-mail to full e-commerce, companies
may follow these steps:
©2003, Enterasys Networks, Inc. All rights reserved.