How to Set Up... A Virtual Private Network

A Virtual Private Network (VPN) is a connection that has the

appearance and many of the advantages of a dedicated link, but occurs over a

shared network. Using a technique called "tunneling", data packets are

transmitted across a public routed network, such as the Internet or other

commercially available network, in a private "tunnel" that simulates a

point-to-point connection. This approach enables network traffic from many

sources to travel via separate tunnels across the same infrastructure. It allows

network protocols to traverse incompatible infrastructures. It also enables

traffic from many sources to be differentiated, so that it can be directed to

specific destinations and receive specific levels of service.

Tunnel initiation and termination can be performed by a

variety of network devices and software. A tunnel could be started, for example,

by an VPN-enabled access concentrator at an ISP Point of Presence (PoP).

It could also be started by a VPN-enabled access router on an

enterprise branch or home office LAN, or by



an end user’s laptop equipped with an analog PC modem card and VPN-enabled
dial-up software. Basic tunneling and security capabilities are bundled into

Windows 95 and Windows NT 4.0.

A tunnel could be ended by a VPN gateway on an ISP’s or NSP’s

network access router or by a tunnel terminator or switch on an enterprise

network. In addition, there will usually be one or more security servers. Along

with the conventional application of firewalls and address translation, VPNs can

provide for data encryption, authentication, and authorization. Tunneling

devices perform these functions by communicating with security servers. Such

servers also usually provide information on bandwidth, tunnel-end points, and,

in some cases, network policy information and service levels.

Step # 1

• Assessing the needs

Assessing the requirements, of course, is the first step

for VPN’s planning as well. We can breakdown the requirement into two

categories:

• Remote access for road warriors or mobile workforce.

1. A list of locations which the mobile workforce is
   
   expected to travel to or the locations you would like to get covered in the
   
   VPN.

2. An approximate idea of the applications a mobile worker
   
   is likely to use and the bandwidth that he may require.

• VPN as a leased-line alternate for the branch offices or
  
  partners.

1. A list of branch office locations and/or partners’
   
   location you may want to cover in the VPN.

2. An approximate idea of the processes that may run
   
   simultaneously and the bandwidth that would be required to support the same.

Step #2

• Choosing the service provider

ISPs and some NSPs already own significant amount of

infrastructure. However, a perfect VPN provider is one who addresses the

following broad issues:

Cost: Optimizing communication expenditures

Security: Protecting the network and protecting data

Scalability: In terms of supporting large numbers of

users as well as on the bandwidth since one may want to increase the bandwidth

from time to time.

• Quality of
  
  Service: Providing the ability to access reliably with acceptable
  
  performance, ease of deployment, management, and use. Making it easy for
  
  users and for managers to set up, maintain, and use.

• Point of
  
  Presence: The service provider should either have a direct or indirect
  
  presence in all the locations where a mobile worker may travel and at the
  
  branch office/partner locations.

And specifically on the requirements the following issues

(Step 3 & 4):

Step #3

• Remote access

Remote Access Server is the point of access for the mobile

worker and the service providers need to ensure that it has the following

capabilities enabled with "simultaneous" being the key word:

• The service
  
  provider should support the VPN protocols like PPTP, L2TP, and IPSec so that
  
  there is a choice of protocols.

• It should have
  
  the capability of supporting maximum number of encrypted tunnels using
  
  Triple DES or similar techniques. (Encryption hogs up huge amount of
  
  processing power).

• Service provider
  
  should support Quality of Service on the RAS so that he can provide
  
  bandwidth commitment to the mobile user.

• As far as
  
  possible it is vital to ensure the management and trouble shooting
  
  capability of the service provider for VPN networks.

Step # 4

For connecting the corporate office to the branch offices

as well as the mobile workforce, a leased-line connection between the nearest

PoP of the ISP and the corporate LAN is required. Following needs must be

ensured while choosing a service provider:

• Service provider
  
  should be able to commit bandwidth between his network and the corporate LAN
  
  (the bandwidth required would as per Step #1).

• Service provider
  
  should be able to commit to SLAs on the performance and the availability of
  
  these leased-lines as the same would affect the entire private network.

Step # 5

• Security

VPN needs to ensure the security of the network and the

data, so the RADIUS Server & RAS should be able to provide the following

critical functionalities:

• Authentication/access
  
  control: Choice of PAP & CHAP, the password and challenge based systems
  
  along with a RADIUS server which is tightly integrated with the RAS as well
  
  as hardware based token and digital certificates provide sufficient amount
  
  of security to control access to the network.

• Data integrity:
  
  Encryption of the data using various encryption algorithms like Triple DES
  
  provides enough protection of the data.

Depending on the security requirements, the RADIUS server

for VPN can either be at the ISP or within the



corporate LAN. In case of the RADIUS server being inside the corporate LAN,
ISP would then be able to support domain-based authentication. (For example a

user with user@yourdomain.com username can be directed to your network for

authentication).

Step # 6

• The router

Router is a key element in VPN and the following needs are

to be ensured in the router within the corporate LAN:

• The model of the
  
  router may have been sold with a VPN as one of the feature. However, the
  
  same may not have been enabled. Also, the software, memory and the
  
  processing power may not be enough to support VPN for "mobile user to
  
  LAN" or "LAN-to-LAN".

• Also, router
  
  should be able to support all the VPN protocols like PPTP, L2TP or IPSec.

• The router should
  
  be based on open standards rather than proprietary protocols in order to
  
  interoperate with the RAS and RADIUS for QoS.

• The service
  
  provider should be able to interoperate with your router and the network
  
  protocols that you wish as any changes in these specifications would mean
  
  additional cost for your network.

Step # 7

• Training

VPNs offer great value for money and extend your network’s

reach with very little effort and expenditure.



However, it is very critical to get the key technical people trained on
technology for implementation, troubleshooting and maintenance of the VPN

networks.

Himanshu Goel



technical sales manager, Carrier Networks, 3Com India Ltd