IP-SEC Site to Site VPN Connectivity - Article Example

IP-SEC SITE TO SITE VPN CONNECTIVITY By Student’s Name Course code: Course name: Professor: University: City, State: Date: 1. Introduction A Virtual Private Network (VPN) refers to a network technology developed for creating a network connection that is secure over a public network such as service provider owned private networks and the internet. This technology is widely used by educational institutions, large corporations, and government agencies for enabling remote users to connect to a private network securely. Multiple sites can be connected using VPN just like WAN (Wide Area Network) over a large distance, and they are usually used for extending intranets worldwide with the aim of disseminating news and information to a wider user base. VPN is extensively used by educational institutions to connect their satellite campuses which can be distributed nationally or internationally[Bal07]. The user requires authentication using a password and identification that must be unique to gain access to the private network. In order to gain access to a private network, there must be an authentication token. This is done through a PIN (Personal Identification Number), which is an authentication code that is unique and changes depending on the frequency after every 30 minutes. With VPN, a private network can be extended to a public network or internet. Users can receive and send data across a public or shared networks as if their gadgets and computers are connected to the private network directly. Virtual Private Network provides its users with security, functionality, and network management. However, they can lead to new issues and VPN services which can violate the privacy of their users, especially the free ones when their usage are logged into and made available without their consent, or when money is made through user’s bandwidth sale to other users[Col10]. There are some Virtual Private Networks that allows employees secure access to a corporate intranet when they ae not within the office premises and others can connect separated geographical offices of the same company securely to create a single cohesive network. Some VPNs can also be used by individual internet users to circumvent censorship, geo-restrictions, secure their wireless transactions, and connect to proxy servers to protect their locations and personal identity. However, there are some internet sites which do not allow access via known VPNs to prevent geo-restriction circumvention. With traffic encryption, virtual tunneling protocols or dedicated connections, it is possible to create a Virtual Private Network through the establishment of a point to point connection[Col10]. There are benefits provided by a VPN that is available from the public Internet of a wide area network. Resources that are always available within the private network may be remotely accessed. Figure 1: Internet VPN 2. Literature Review Early data networks used remote connectivity of VPN-style through a leased line connections or dial-up modem together with virtual circuits of Asynchronous Transfer Mode, Frame Relay, supplied by a network owned and operated by telecommunication carriers. These are not true VPN networks because they do not fully secure the data that is transmitted through logical data stream creations. Today, they have been replaced by Virtual Private Networks based on Networks and MPLS (Multiple Protocol Label Switching) networks[DeC02]. This change is because of increase in bandwidth and reduction of costs that the new technologies have provided, like fiber-optic networks and Digital Subscriber Line (DSL). Early Virtual Private Networks were associated with a point to point topology and did not connect or support broadcast domains and therefore services like Microsoft Windows NetBIOS were not supported fully to operate as they did on LAN. In order to overcome these limitations, VPN variants were such as layer 2 tunneling protocols and VPLS (Virtual Private LAN Service) were developed. Virtual Private Network can connect a computer to a network, that is remote access, or connect two networks, that is site to site. Remote-access Virtual Private networks in a corporate setting allow employees access to their organizations' intranets while traveling outside or when at home[Bod04]. This is contrary to site-to-site Virtual Private Networks that allow sharing of one cohesive virtual network for employees or an organization with offices that are geographically disparate. Two similar networks can also be interconnected over a middle network that is dissimilar using a Virtual Private Network. An example of this is 2 IPv6 networks connected over IPv4. 2.1 How IPsec VPN Site-to-Site Tunnel Works It is important to have an understanding of the meanings of each term and the roles they play in an IPsec Virtual Private Network site-to-site network setup to fully understand how tunnels of IPsec VPN site to site operates. 2.1.1 IPsec This refers to a protocol security for the internet or IP Security in other words. It is a protocol suite which encrypts the whole IP traffic before transferring the packets to their destination from the source mode. It is responsible for and capable of identity authentication of the two nodes before the occurrence of the actual communication between them[HeH08]. The network traffic can be decrypted and encrypted when IPsec is configured to utilize the available algorithms. It can be configured to work with either of the following two available modes: 2.1.2 Tunnel Mode In this mode the whole packet is authenticated and/or encrypted by IPsec. The packet encapsulated after encryption to form a new IP packet having a header information that is different. There is the configuration of IPsec to be used in tunnel mode while a secure Site to site Virtual Private Network tunnel is being setup[HeH08]. 2.1.3 Transport mode In this mode there is only authentication and/or encryption of the real/factual payload of the packet. The information at the header will remain unchanged/intact. 2.2 What is VPN and why do they require secure tunnels As already stated, Virtual Private Network is a setup of network whereby the public network, that is, the internet and the public telecommunication is used for data transmission between offices of the same organization in different geographical locations. Because of the unreliability of the public network and public telecommunication when it comes to information security, a secure tunnel is created by administrators between the destination and the source sites/nodes. It is via these tunnels that the data is transferred. Users can access resources and information from remote sources with simplicity and ease as if they are in a local area network[Ahl08]. This is because these tunnels that are created by the administrators only allow for communication between the destination and the source site/nodes. 2.2.1 Site Based on the Virtual Private Network and computer networking, a site refers to office premises or an area in which two different nodes linked to each other can share information or communicate over a network medium of high bandwidth. An example is 100 Megabits per second (Mbps), or 1 Gigabits per second (Gbps) or more. Two nodes are considered to be in the same network site when they are connected through any 10 megabits per second or above. Organizations use VPNs with many branches worldwide for connecting the branch offices. This enables easy and effective communication between these offices and their headquarters/datacenter[Bal07]. 2.3 So how does Site-to-Site VPN work with IP Sec? We have now understood the above-discussed terms individually. Understanding how the network communication occurs using secure Virtual Private Network tunnel is would be easier now. The following is the process taking place during site-to-site communication: The Packet P1 is forwarded to the router R1 by source computer C1 with address of destination IP of the computer C2 The router R1 receives packet P1, and the whole packet is encrypted using algorithms that have been specified. The whole packet is encapsulated by the router R1 after packet encryption to form a new packet NP1. In this packet, there is the R1 IP address as the address IP and source IP of the router R2, which is placed as the destination IP at the destination location. The router R1 then transfers the packet NP1 to the R2's IP address via the internet. The destination router R2 then receives the packet. The NP1 is de-capsulated by the router R2 to attain the actual packet P1 The packet P1 is decrypted by the router R2 using the correct algorithm. The Router R2 then forwards the packet P1 to the destination computer C2 where the packet is expected to reach[Opa06]. 2.4 The significance of IPsec VPN site to site Tunnels There are many advantages offered by IPsec Virtual Private Network. The following are some of the advantages: it reduces resources and costs of communication since it eliminates the need for buying expensive and dedicated lease lines from one location to another. This is because organizations use public telecommunication lines for data transmission; both participating networks have all their nodes and IP addresses hidden from external users, and from one another; the whole communication taking place between destination site and source site remains encrypted leading to slow chances of theft and loss of information. 2.5 Disadvantages of site-to-site VPN Very expensive routers are needed in every site to act as a VPN server; there is increased CPU use and processing overhead because of decapsulation, encapsulation, decryption, and encryption occurring at the routers. This leads to users experiencing slow or reduced speed of communication; the IPsec Virtual Private Network configuration process is complex hence highly qualified and skilled IT personnel are required to attain perfection[Che02]. 3. Analysis 3.1 Classifications of Virtual Private Networks The protocols utilized for traffic tunneling; the point location of tunnel termination, for example network provider or customer edge; whether the connectivity offered is network to network or site to site; the security level provided; the presented OSI layer, this layer id provided to the connecting network for example layer 3 network connectivity of layer 2 circuits[Che02]. Figure 2: Site-to-Site Virtual Private Network Configuration The above diagram shows a site-to-site Virtual Private Network configuration all the modes are linked to a discrete network that is separated by public networks or by other unsecured. Because of the security needs of these network segments, it could be the reason why end nodes are unable to exchange data on the network unless the Virtual Private Network is in position. It is a type of virtual private network configuration commonly referred to as “closed” site-to-site network topology. In other ways, all the end nodes that are connected to the segment could be having the ability to exchange data freely, and using other networks for forth and back relaying of data. This exchange of data is unsecured and in this type of environment IPsec are always used to secure all or some of the exchange data[Pat04]. This is a virtual private network configuration type referred to as "open" site to site design of the network. The main issue of the point is that in either case, the implementation of IPsec is by the use of data exchange securing gateways. It is important to note that when securing this data, the end nodes connected to the networks that are being secured have no knowledge of the happenings. 3.2 Protocols A number of VPN protocols can be used to secure the data traffic transport over the public network infrastructure and these protocols slightly vary in the manner data is securely kept. In order to make the communications secure over the internet, IP security (IP) is used. The transport mode and or tunneling can be used by IPsec traffic to encrypt data traffic in a virtual private network[Pat04]. The difference between tunneling mode or transport modes is that the entire data packet is encrypted by the tunneling mode while the transport mode encrypts only the messages within the data packet. These messages are known as payload. Because of the use of IPsec as other protocols' security layer, it is commonly known as "security overlay." Cryptography is used by Transport Layer Security (TLS) and Secure Socket Layer (SSL) for securing information over the internet. All these protocols utilize a handshake authentication method involving network parameter negotiation between the server machines and the client. An authentication process that involves certification is used to initiate a connection successfully. These certificates are keys for cryptography which are stored on both the client and server. Another protocol used for connecting a client over the Internet to a private server is Point to Point Tunneling. It is the widely used virtual private network because of its ease of maintenance as well as straightforward communication. Another advantage is that it is included with window operating system[Joh07]. The protocol used for tunneling data communication traffic over the internet between two sites is Layer 2 Tunneling Protocol (L2TP). L2TP has always been utilized in tandem with IPsec. In this situation, IPsec is used as a security layer, securing L2TP data packet transfer over the internet. PPTP is contrary to the implementation of VPN using LP2TP/IPsec that needs sharing of key and certificate use[Bod06]. In order to prevent data interceptions which occur unintentionally between private sites and ensure security, the Virtual Private Network technologies use sophisticated encryption. In order to ensure data integrity and privacy, all traffic over the Virtual Private Network is encrypted using algorithms. There are a strict set of rules and standards governing Virtual Private Network architecture to ensure a private communication channel between different sites. The decision of the scope of a virtual private network is the responsibility of corporate network administrators. These administrators also implement and deploy VPN as well as continuous monitoring of network traffic[Lak]. A virtual private network requires that the administrators be continually aware of the scope of its scope and overall architecture for communication to be kept private. 4. Management 4.1 Security Mechanisms It is worth noting that virtual private network cannot make completely anonymous online connections but increases security and privacy. Only authenticated remote access is allowed by virtual private networks using encryption techniques and the protocols for tunneling to prevent private information disclosure[Miz08]. The following are provided by virtual private network security models: a) Confidentiality: Confidentiality should be in such a way that even if at the packet level the network traffic is sniffed, only the encrypted data would be seen by the attacker. b) Sender authentication: the aim of authenticating the sender is to prevent the users that are unauthorized from accessing the virtual private network[Bol05]. c) Message integrity: this aims at detecting instances of tampering with messages that have been transmitted. Enhanced security features are provided by the Internet Protocol Security protocol (IPSec), e.g. comprehensive authentication and algorithms for better encryption. The two encryption modes that IPsec uses perform different functions[Miz08]. The function of transport is only to encrypt the payload while that of the tunnel is to encrypt the header and the payload of each and every packet. This protocol can only be utilized by the systems that are compliant with IPsec. All devices must use a common key, and each network should have a firewall having same security setup policies. Data can be encrypted between various devices by IPsec, for example: between firewall to the router, router to router, PC to the server, and PC to router[Bol05]. 4.2.1 Authentication Before a secure virtual private network can be created, there must be authentication of tunnel endpoints. Biometrics, passwords, factor-two authentication and/or different cryptographic methods can be used by user-created remote-access virtual private networks. Network-to-network passwords often use digital certificates. In the quest to allow the automatic establishment of the tunnel without administrator intention, the key is stored permanently[Lak]. 4.2.2 Routing It is possible to use the protocols for tunneling in a point-to-point topology that would not be considered a VPN. This is because the virtual private network is supposed to support arbitrary and network nodes sets that are changing. Implementation of most routers supports the tunnel interface of the software-defined, the virtual private networks that are customer provisioned simply comprise a set of tunnels over which the routing protocols which are conventional operates[Chu03]. 5. Conclusion Site-to-site virtual private networks (VPN) tunnels have been adopted for secure data, voice, and video transmission between two areas or sites, for example, brunches or offices. Over the public internet network, the virtual private network is created and encrypted by several advanced algorithms to provide security and conviviality of the data being transmitted between two different sites/nodes[Car12]. Reference List Bal07: , (Ballani & Francis, 2007), Col10: , (Colar, et al., 2010), DeC02: , (De Clercq & Paridaens, 2002), Bod04: , (Boden & Monroe, 2004), HeH08: , (He, 2008), Ahl08: , (Ahlard, et al., 2008), Opa06: , (Opara & Marchewka, 2006), Che02: , (Cheung & Misic, 2002), Pat04: , (Pathan & Irshad, 2004), Joh07: , (Joha, et al., 2007), Bod06: , (Boden & Palemo, 2010), Lak: , (Lakbabi, et al., 2012), Miz08: , (Mizell, et al., 2008), Bol05: , (Bollapragada, et al., 2005), Chu03: , (Chu, et al., 2004), Car12: , (Carrasco, 2012), Read More