Virtual Private Network

Posted by throx on Friday, October 27th 2006   

27
Oct

Author: T. Y. Fam
Research Assignment

1. Network Security

1.1 General Information

The reason to have a good security system in a network can be classified to three main reasons, Confidentiality, Integrity and Availability. Confidentiality means the protection of personal private information, no others should be able to view or access the locked information unless they have the right access. Having an Integrity security is to ensure the quality of the data originality, no unauthorized user able to make any changes to the data. Availability is to ensure the authorised user was able to access the data without any problem (Knipp, Browne, Weaver, Baumrucker, Chaffin, Caesr, Osipov, Danielyan, 2002, pp2-3).

1.2 Encapsulation

A normal network contains different kind of datagram, which is transmitted everywhere. To help the network understand each datagram that passes through the networks, encapsulation system technique is needed to help the datagram to be delivered to the right places.

What the encapsulation do is place the IP datagram inside a frame, and the entire data followed by the IP datagram will be placed in the same frame as well.

Figure 1 below shows the concept:
vpn01.jpg

By default, the receiver will not know whether the incoming frame contains IP datagram or any other data. This will be discussed by sender and receiver, then they can set up a standard to recognize those incoming frame. As usual, an encapsulated frame should also carry destination IP.

When a frame is reached its destination, it will be discarded and the IP datagram will be removed from the frame. If the data needs to be transferred to another destination, a new encapsulation method can be different from previous standard and all these depended on the new destination (Douglas, 1997, pp.278-281)

1.3 Encryption

Encryption is a method to create secure environment while transferring data within internet network. One of the encryption systems is cryptosystem, the concept is whereby the sender encrypts his message with a key and sends to the receiver then the receiver will use his key to decrypt the message and confirm whether the message is sent by the right person. This system is not good enough compared to other systems because it is using only one key for encrypting and decrypting. If one of the keys is broken, then the entire message can be decrypted.

A better and more secure system is Diffie-Hellman encryption. This system was started in 1976. Users able to use the same secret but without exchange the secret itself, hence lower the chance of getting the secret key being exposing. DH algorithm is both of the users exchange their public key then encrypt with their own private key and created a shared secret key. User will then encrypt the message with shared secret key and send to the receiver, the receiver will use the shared secret key, which he has created to decrypt the message. This method will ensure both users’ private key will not expose to anyone (Fowler, 2005, Lecture Note).
vpn02.jpg

1.4 Authentication

Authentication is a method use to block unauthenticated person or system to access on some networks or systems. Only users or systems with the logon password or right can be able to access the system. However, there should be a balance between authentication and users. The over use of authentication will cause problems for users as well.

The commonly use is Challenge Handshake Authentication Protocol (CHAP). CHAP will ask for the revalidate password to check whether the right person is using the system or not. CHAP generate key within domain or host, clients then need to use the key to encrypt the username/password in order to use the system.

There is one common problem in authentication which is the password length, short password which is very easy being break by brute force algorithm. However, long password may require the user to write down the password and the risk for being exposed is higher compared to short password (Fowler, 2005, Lecture Note).

2.0 Network Topology

2.1 General Information

There are many ways of creating a VPN depending the size and area needed. Different topologies can be implemented by a different protocol.

2.2 Host-to-Host

Host-to-host secure connection can be done by using IPsec. This kind of network can be easily done by just installing IPsec in both of the host. A host-to-host connection can be a desktop or workstation that wants to create a private network to secure transferring file or data. Figure 3 below shows the idea of a host-to-host network.

vpn03.jpg

To create this network, a unique name for the IPsec to identify the 2 host is required. Both of the IP address also needed when making change to the configuration file. 2 PC will need to have their encryption key and exchange the key using shared authentication key when establishing the connection. (IPsec Host-to-Host Configuration https://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/ security-guide/s1-ipsec-host2host.html, 2005)

2.3 Host-to-Network
The host-to-network network is the less complicated version of the network-to-network version. Most of the structure is the same as network-to-network system which using a host connecting to a large network. This is useful for people working at home that require secure connection to the company networks.

2.4 Network-to-Network
When creating a connection between two networks, its mean the connection between two subnets will be connected with VPN tunnel. A network-to-network connection required IPsec routers to be installed in both of the subnets in order to route the every single host pc. This network usually used by two companies that want to link their network together at a lower cost. VPN is much cheaper compared to rent a leased line that cost few hundreds thousands per year. (IPsec Network-to-Network Configuration https://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/ security-guide/s1-ipsec-net2net.html, 2005)

vpn04.jpg
Figure 4 shows the IPsec making connection through a tunnel via the internet.

Conclusion
In conclusion, virtual private network has provided a secure network to the network industry. VPN was able to reduce the cost to setup a network in a long distance by using internet. By writing this report, getting more and more understand to the VPN on implementation and configuration. The information is all about the general structure, the security systems, and the different topology of VPN. This will help to understand the whole main idea about the Virtual Private Network

List of reference

Douglas, C. (1997), Computer networks and internets, Prentice Hall, pp.278-281

Fowler, D. (2005), Authentication and Authorisation, Lecture Note

Fowler, D. (2005), Encryption, Lecture Note

IPsec Host-to-Host Configuration https://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/ security-guide/s1-ipsec-host2host.html, 2005 [Accessed: 30/08/05]

IPsec Network-to-Network Configuration https://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/ security-guide/s1-ipsec-net2net.html, 2005 [accessed: 30/08/05]

Knipp, E., Browne, B., Weaver, W., Baumrucker, C. T., Chaffin, L., Caesr, J., Osipov, V., Danielyan, E. (2002), Managing Cisco Network Security, (2th edn), Callisma, pp2-3

Linux VPN Fundamentals http://www.informit.com/articles/article.asp?p=25946&rl=1, 2005 [Accessed: 31/08/05]

Subscribe to the post comments feeds or Leave a trackback

Filed under: Research Essay     
   

Be The First To Comment

Related Post

Please Leave Your Comments Below

Please Note: All comments will be moderated

« Two songs by my elder niece
Wireless Hospital Ward Thread Modeling »