A Virtual Private Network (VPN) is a connection that has the
appearance and many of the advantages of a dedicated link, but occurs over a
shared network. Using a technique called "tunneling", data packets are
transmitted across a public routed network, such as the Internet or other
commercially available network, in a private "tunnel" that simulates a
point-to-point connection. This approach enables network traffic from many
sources to travel via separate tunnels across the same infrastructure. It allows
network protocols to traverse incompatible infrastructures. It also enables
traffic from many sources to be differentiated, so that it can be directed to
specific destinations and receive specific levels of service.
Tunnel initiation and termination can be performed by a
variety of network devices and software. A tunnel could be started, for example,
by an VPN-enabled access concentrator at an ISP Point of Presence (PoP).
It could also be started by a VPN-enabled access router on an
enterprise branch or home office LAN, or by
an end user’s laptop equipped with an analog PC modem card and VPN-enabled
dial-up software. Basic tunneling and security capabilities are bundled into
Windows 95 and Windows NT 4.0.
A tunnel could be ended by a VPN gateway on an ISP’s or NSP’s
network access router or by a tunnel terminator or switch on an enterprise
network. In addition, there will usually be one or more security servers. Along
with the conventional application of firewalls and address translation, VPNs can
provide for data encryption, authentication, and authorization. Tunneling
devices perform these functions by communicating with security servers. Such
servers also usually provide information on bandwidth, tunnel-end points, and,
in some cases, network policy information and service levels.
Step # 1
-
Assessing the needs
Assessing the requirements, of course, is the first step
for VPN’s planning as well. We can breakdown the requirement into two
categories:
-
Remote access for road warriors or mobile workforce.
-
A list of locations which the mobile workforce is
expected to travel to or the locations you would like to get covered in the
VPN. -
An approximate idea of the applications a mobile worker
is likely to use and the bandwidth that he may require.
-
VPN as a leased-line alternate for the branch offices or
partners.
-
A list of branch office locations and/or partners’
location you may want to cover in the VPN. -
An approximate idea of the processes that may run
simultaneously and the bandwidth that would be required to support the same.
Step #2
-
Choosing the service provider
ISPs and some NSPs already own significant amount of
infrastructure. However, a perfect VPN provider is one who addresses the
following broad issues:Cost: Optimizing communication expenditures
Security: Protecting the network and protecting data
Scalability: In terms of supporting large numbers of
users as well as on the bandwidth since one may want to increase the bandwidth
from time to time.
-
Quality of
Service: Providing the ability to access reliably with acceptable
performance, ease of deployment, management, and use. Making it easy for
users and for managers to set up, maintain, and use. -
Point of
Presence: The service provider should either have a direct or indirect
presence in all the locations where a mobile worker may travel and at the
branch office/partner locations.
And specifically on the requirements the following issues
(Step 3 & 4):
Step #3
-
Remote access
Remote Access Server is the point of access for the mobile
worker and the service providers need to ensure that it has the following
capabilities enabled with "simultaneous" being the key word:
-
The service
provider should support the VPN protocols like PPTP, L2TP, and IPSec so that
there is a choice of protocols. -
It should have
the capability of supporting maximum number of encrypted tunnels using
Triple DES or similar techniques. (Encryption hogs up huge amount of
processing power). -
Service provider
should support Quality of Service on the RAS so that he can provide
bandwidth commitment to the mobile user. -
As far as
possible it is vital to ensure the management and trouble shooting
capability of the service provider for VPN networks.
Step # 4
The Leased-Line
For connecting the corporate office to the branch offices
as well as the mobile workforce, a leased-line connection between the nearest
PoP of the ISP and the corporate LAN is required. Following needs must be
ensured while choosing a service provider:
-
Service provider
should be able to commit bandwidth between his network and the corporate LAN
(the bandwidth required would as per Step #1). -
Service provider
should be able to commit to SLAs on the performance and the availability of
these leased-lines as the same would affect the entire private network.
Step # 5
-
Security
VPN needs to ensure the security of the network and the
data, so the RADIUS Server & RAS should be able to provide the following
critical functionalities:
-
Authentication/access
control: Choice of PAP & CHAP, the password and challenge based systems
along with a RADIUS server which is tightly integrated with the RAS as well
as hardware based token and digital certificates provide sufficient amount
of security to control access to the network. -
Data integrity:
Encryption of the data using various encryption algorithms like Triple DES
provides enough protection of the data.
Depending on the security requirements, the RADIUS server
for VPN can either be at the ISP or within the
corporate LAN. In case of the RADIUS server being inside the corporate LAN,
ISP would then be able to support domain-based authentication. (For example a
user with user@yourdomain.com username can be directed to your network for
authentication).
Step # 6
-
The router
Router is a key element in VPN and the following needs are
to be ensured in the router within the corporate LAN:
-
The model of the
router may have been sold with a VPN as one of the feature. However, the
same may not have been enabled. Also, the software, memory and the
processing power may not be enough to support VPN for "mobile user to
LAN" or "LAN-to-LAN". -
Also, router
should be able to support all the VPN protocols like PPTP, L2TP or IPSec. -
The router should
be based on open standards rather than proprietary protocols in order to
interoperate with the RAS and RADIUS for QoS. -
The service
provider should be able to interoperate with your router and the network
protocols that you wish as any changes in these specifications would mean
additional cost for your network.
Step # 7
-
Training
VPNs offer great value for money and extend your network’s
reach with very little effort and expenditure.
However, it is very critical to get the key technical people trained on
technology for implementation, troubleshooting and maintenance of the VPN
networks.
Himanshu Goel
technical sales manager, Carrier Networks, 3Com India Ltd