Practical Studies Of Ip Security Virtual Private Network

This paper addresses the demands of network developers and security administrators to stay up to date with the technological developments in the ever-changing computer network field. This paper seeks to meet the educational need at Central Connecticut State University (CCSU) and adopts innovative laboratory experiences and practices developed in the Information Technology (IT) industry. The targeted audiences are from the ABET accredited programs in Computer Engineering/Technology or Computer Science students in their senior year with a background in (i) Internet; (ii) IP Addressing; (iii) Local Area Network technologies, such as Ethernet; and (iv) Basic router configuration. In the first half of the paper, the key concepts related to Internet Protocol Security (IPSec) and Virtual Private Network (VPN) technologies are discussed in detail. In the second half of the paper, the lab time procedure to setup a VPN test lab at Central Connecticut State University (CCSU) is described. This section also focuses in configuring the VPN Hardware Client and Configuring the VPN Concentrator. Once implemented, this lab can be used for many different purposes and can be very valuable as a troubleshooting and learning aid. Introduction A Virtual Private Network (VPN) is a secure private network connection that typically uses a public or shared network as its transport. Of course, the most widely known (and common) public network is the Internet. In essence, a VPN connection is a secure “tunnel” between two devices. There are two main components to a VPN connection: the concentrator and the client. 1. The concentrator is typically located in the central hub site of a company, and its function is to terminate the VPN tunnels that are generated from remote devices. As you may have guessed, the concentrator has at least one interface that is reachable over the Internet. 2. The client is the initiator of the VPN tunnel and is typically located at a remote location. The client can be either software or hardware-based. In either case, the client contacts the concentrator (using the publicly accessible Internet interface) to initiate the VPN tunnel. The two parties then negotiate connectivity settings and a P ge 10006.1 Proceedings of the 2005 American Society for Engineering Education Annual Conference & Exposition Copyright © 2005, American Society for Engineering Education VPN tunnel is established. A more detailed explanation of the VPN tunnel setup process is outlined later in this document. Through the past couple of years, two main uses of VPN have emerged. These are: • Individual user remote access: As the availability of broadband Internet access has increased, VPN has become the most common method of connecting employees to a company’s internal network. The increased popularity of telecommuting has also sparked demand for VPN remote access solutions. For individual user remote access, the VPN client is typically software-based. Most operating systems now have software VPN capabilities built in to the operating system. More commonly, third-party VPN software, such as the Cisco Systems software VPN client, is used. • Office connectivity (site-to-site): Another use for VPN which has become popular in the recent past is connecting remote offices to a central hub location. Internet bandwidth has become more inexpensive lately. This has enabled companies to use the public Internet infrastructure to connect their offices, instead of investing in (often-times) costlier private network technologies such as Frame Relay and ATM 1 . When connecting a remote office using VPN, the concept remains the same: a VPN client creates a secure tunnel to a central VPN concentrator. However, the VPN client is hardware-based and is not specific to any individual user on the network. Instead, the VPN hardware client creates the tunnel and shares that VPN tunnel with multiple users that connect to it on its private LAN interface. The lab exercises accompanying this document are an illustration of site-to-site VPN using the Cisco 3000-series VPN hardware. Other hardware, such as routers from Cisco or other hardware vendors, can also be used to establish site-to-site VPN connectivity. IP Security Overview The most common underlying protocol of VPN is called IPSec, short for “IP Security”. IPSec acts at layer 3 of the OSI reference model – the network layer. Its function is to protect and authenticate all IP packets flowing between two VPN tunnel endpoints. One interesting note is that IPSec is a set of open standards and can use many different encryption or authentication schemes. For example, different encryption algorithms such as DES and 3DES are acceptable for use under the standards of IPSec. This makes IPSec rather future-proof, because any new encryption or authentication methods can be introduced and implemented without changing the basic framework of IPSec 2 . IPSec can accommodate many different encryption and authentication methods. Any combination of these different encryption and authentication methods is called IPSec Security Association (SA). As you can imagine, there can be many different IPSEC SA’s available for use in any given VPN tunnel. Therefore, the IPSec SA is negotiated upon initial VPN tunnel setup, and it provides the “rules and methods” for the subsequent VPN tunnel. IPSec provides three important functions: